Squeezing the Cybercrime Ecosystem in 2009 (2009- 
01-06 15:31) 

How do you trigger a change that would ultimately affect 
the entire cybercrime ecosystem? Going full disclosure may 
be the most logical option, but past experience reveals that 
using it has a modest temporary effect. For instance, 
exposing a stolen credit cards shop isn't going to separate 
the owner from the stolen database, neither would his 
customers base disappear, so stating that it's shut down in 
reality means that it's currently active at another location 
which the owner quickly communicates to the customers 
base. I keep seeing it happen once a sample service gets 

media attention, and I'll keep seeing it happen. 

The myth that geolocating their malicious activities would 
always end up in an Eastern European network where 

developed law enforcement agencies would have little to no 
jurisdiction at all, proved to be a [ljcommon stereotype 
given [2]that the well known [3]cybercrime-friendly ISPs 
that were shut down in 2008 were and have always been 

U.S based operations. Therefore, the excuse of not being 
able to take action due to the lack of international law 
enforcement cooperation isn't appicable in this case. 

So how should the cybercrime ecosystem be squeezed? 
Personalize it and communicate the levels of efficiency 

cybercriminals achieve by using the very same disturbing 
photos that they use to demonstrate the effectiveness of 
their web based stolen credit card shops in order to achieve 
the necessary public outbreak. 


Even though I pretend that the research and profiles of the 
underground tools and services that I've been de¬ 
tailing throughout 2008 is cutting-edge research, this 
research is basically scratching the surface, but how come? 
Just like there's a perfect and bad timing for a particular 
product or service to hit the market, in this very same 
fashion the general public is still not ready to embrace some 
of the highly disturbing point'n'click identity theft services 
that have been operating for years. Sadly, some even 
question the usability and authenticity of these 
underground services, and therefore a change has to be 
triggered by starting to publish the cybercriminals' ROI out 
of using them in the form of the photos of users swimming 
in cash that they've cashed-out of the stolen credit cards. 
Disturbing? It's supposed to be, since it will not only prompt 
public outbreak, but also, have a well proven self-regulation 
effect on behalf of the service owner's, at least from my 
personal experience while profiling related services. 
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This is perhaps the perfect moment to emphasize on how 
important threat intell sharing with law enforce¬ 
ment, whether directly based on personal contacts or 
through one-to-many communication model through private 

mailing lists, a cyber threats analysts case-building 
capabilities would not only prove valuable in the long term, 
but would also make it easier for someone to do their 
prosecuting job faster. And while important, threat intell 
sharing with law enforcement is not the panacea of 
squeezing the cybecrime ecosystem, since cybercrime 
should not be treated as the systematic abuse of 


common IT insecurities for fraudulent purposes, 
instead, it should be treated as a form of economic 
terrorism. Only then, would cybercrime receive the 
necessary attention instead of [4]such comments regarding 
McColo or Atrivo -" Resource-wise, we can't be in the 
business of prevention. We have to be in the business of 
prosecution. " Exactly. I guess that just like you cannot be a 
prophet in your own country, you cannot also be a prophet 
in your own agency, thankfully, the wisdom of the 
cybercrime fighting crowd is always there to take care and 
get zero credit at the end of the day. 

Personally, 2009 is going to be the year when personalizing 
cybercriminals would be taking place on a more regular 
basis, so stay tuned for an upcoming report summarizing 
"behind the curtains" cybercrime activities in 2008, 
underground responses to some of major busts of year 
including the DarkMarket operation, the fraudulent schemes 
allowing them to cash-out digital assets into hard cash, the 
basics of their social networking model, who's who in the 
hierarchy of a sampled business model of vendors of ATM 
skimming devices, the post-DarkMarket OPSEC 

practices introduced in order for cybecrime communities to 
verify the authenticity of their customers, the process of 
advertising and operating underground services as well as 
the communication methods used, in short - all the juicy 
details, screenshots and photos courtesy of the owners and 
customers of the services that haven't been 

communicated to the industry and the world throughout 
2008. 

Find attached a photo teaser acting as a confirmation for the 
usefulness of "yet another stolen credit card details service" 



in the wild, and have a productive year exposing low lifes 
and spilling coffee over their business models. 

Related posts: 

[5] 76Service - Cybercrime as a Service Going Mainstream 

[6] Using Market Forces to Disrupt Botnets 

[7] Localizing Cybercrime - Cultural Diversity on Demand 

[8] Localizing Cybercrime - Cultural Diversity on Demand 
Part Two 

[9] EstDomains and Intercage VS Cybercrime 
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[10] E-crime and Socioeconomic Factors 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[12] Price Discrimination in the Market for Stolen Credit 
Cards 

[13] Are Stolen Credit Card Details Getting Cheaper? 

[14] The Underground Economy's Supply of Goods 

1. http://blo a s.zdnet.com/securit v/? p = 2089 

2. http://blo a s.zdnet.com/securit v/? p = 2281 

3. http://blo a s.zdnet.com/securit v/? p = 2006 

4. http://www.securitvfocus.com/columnists/487 













5. http://ddanchev.blo as pot.com/2QQ8/Q8/76service- 
c vbercrime-as-service- a oin a .html 


6. http://ddanchev.blo as pot.com/2QQ8/Q6/usin a -market- 
forces-to-disrupt-botnets.html 

7. http://ddanchev.blo as pot.com/2QQ8/Q2/localizin a- 
c vbercrime-cultural.html 

8. http://ddanchev.blo as pot.com/2QQ8/ll/localizin a- 
c vbercrime-cultural.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q9/estdomains-and- 
interca a e-vs-cvbercrime.html 

10. http://ddanchev.blo as pot.com/2QQ8/Ql/e-crime-and- 
socioeconomic-factors.html 


11. http://ddanchev.blo as pot.com/2QQ8/lQ/monev-mules- 
s vndicate-activelv.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q6/price- 
discrimination-in-market-for.html 


13. http://ddanchev.blo as pot.com/2QQ8/Q7/are-stolen- 
credit-card-details- a ettin a .html 

14. http://ddanchev.blo as pot.com/2QQ7/Q3/under a round- 
economvs-su ppl v-of- a oods.html 
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How do you trigger a change that would ultimately affect 
the entire cybercrime ecosystem? Going full disclosure may 
be the most logical option, but past experience reveals that 
using it has a modest temporary effect. For instance, 
exposing a stolen credit cards shop isn't going to separate 
the owner from the stolen database, neither would his 
customers base disappear, so stating that it's shut down in 
reality means that it's currently active at another location 
which the owner quickly communicates to the customers 
base. I keep seeing it happen once a sample service gets 

media attention, and I'll keep seeing it happen. 

The myth that geolocating their malicious activities would 
always end up in an Eastern European network where 

developed law enforcement agencies would have little to no 
jurisdiction at all, proved to be a [ljcommon stereotype 
given [2]that the well known [3]cybercrime-friendly ISPs 
that were shut down in 2008 were and have always been 

U.S based operations. Therefore, the excuse of not being 
able to take action due to the lack of international law 
enforcement cooperation isn't appicable in this case. 

So how should the cybercrime ecosystem be squeezed? 
Personalize it and communicate the levels of efficiency 

cybercriminals achieve by using the very same disturbing 
photos that they use to demonstrate the effectiveness of 
their web based stolen credit card shops in order to achieve 
the necessary public outbreak. 

Even though I pretend that the research and profiles of the 
underground tools and services that I've been de- 



tailing throughout 2008 is cutting-edge research, this 
research is basically scratching the surface, but how come? 
Just like there's a perfect and bad timing for a particular 
product or service to hit the market, in this very same 
fashion the general public is still not ready to embrace some 
of the highly disturbing point'n'click identity theft services 
that have been operating for years. Sadly, some even 
question the usability and authenticity of these 
underground services, and therefore a change has to be 
triggered by starting to publish the cybercriminals' ROI out 
of using them in the form of the photos of users swimming 
in cash that they've cashed-out of the stolen credit cards. 
Disturbing? It's supposed to be, since it will not only prompt 
public outbreak, but also, have a well proven self-regulation 
effect on behalf of the service owner's, at least from my 
personal experience while profiling related services. 
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This is perhaps the perfect moment to emphasize on how 
important threat intell sharing with law enforce¬ 
ment, whether directly based on personal contacts or 
through one-to-many communication model through private 

mailing lists, a cyber threats analysts case-building 
capabilities would not only prove valuable in the long term, 
but would also make it easier for someone to do their 
prosecuting job faster. And while important, threat intell 
sharing with law enforcement is not the panacea of 
squeezing the cybecrime ecosystem, since cybercrime 
should not be treated as the systematic abuse of 
common IT insecurities for fraudulent purposes, 
instead, it should be treated as a form of economic 
terrorism. Only then, would cybercrime receive the 


necessary attention instead of [4]such comments regarding 
McColo or Atrivo -" Resource-wise, we can't be in the 
business of prevention. We have to be in the business of 
prosecution. " Exactly. I guess that just like you cannot be a 
prophet in your own country, you cannot also be a prophet 
in your own agency, thankfully, the wisdom of the 
cybercrime fighting crowd is always there to take care and 
get zero credit at the end of the day. 

Personally, 2009 is going to be the year when personalizing 
cybercriminals would be taking place on a more regular 
basis, so stay tuned for an upcoming report summarizing 
"behind the curtains" cybercrime activities in 2008, 
underground responses to some of major busts of year 
including the DarkMarket operation, the fraudulent schemes 
allowing them to cash-out digital assets into hard cash, the 
basics of their social networking model, who's who in the 
hierarchy of a sampled business model of vendors of ATM 
skimming devices, the post-DarkMarket OPSEC 

practices introduced in order for cybecrime communities to 
verify the authenticity of their customers, the process of 
advertising and operating underground services as well as 
the communication methods used, in short - all the juicy 
details, screenshots and photos courtesy of the owners and 
customers of the services that haven't been 

communicated to the industry and the world throughout 
2008. 

Find attached a photo teaser acting as a confirmation for the 
usefulness of "yet another stolen credit card details service" 
in the wild, and have a productive year exposing low lifes 
and spilling coffee over their business models. 


Related posts: 



[5] 76Service - Cybercrime as a Service Going Mainstream 

[6] Using Market Forces to Disrupt Botnets 

[7] Localizing Cybercrime - Cultural Diversity on Demand 

[8] Localizing Cybercrime - Cultural Diversity on Demand 
Part Two 

[9] EstDomains and Intercage VS Cybercrime 
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Summarizing Zero Day's Posts for December (2009- 
01-06 16:19) 

The following is a brief summary of all of my posts at [l]Zero 
Day for December, 2008. You can also go through 

previous summaries for [2]November, [3]October, 
[4]September, [5]August and [6]July, as well as subscribe to 
my 





































[7]personal RSS feed or [8]Zero Day's main feed. 


Notable articles for December include [9]ICANN terminates 
EstDomains, Directi takes over 280k domains (in¬ 
terview with Stacy Burnette from the ICANN); [10]With 
256-bit encryption, Acrobat 9 passwords still easy to crack 
(interview with Dmitry Sklyarov and Vladimir Katalov 
from Elcomsoft) and [ll]Gmail, Yahoo and Hotmail 
systematically abused by spammers. 

01. [12]AlertPay hit by a large scale DDoS attack 
02. [ 13]IT expert executed in Iran 

03. [14]Vendor claims Acrobat 9 passwords easier to crack 
than ever 

04. [15]Microsoft's Live Search (finally) adds malware 
warnings 

05. [16]ICANN terminates EstDomains, Directi takes over 
280k domains 

06. [17]Password stealing malware masquerades as Firefox 
add-on 

07. [18]With 256-bit encryption, Acrobat 9 passwords still 
easy to crack 
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08. [19]Trusteer launches search engine for malware 
configuration files 

09. [20]With or without McColo, spam volume increasing 
again 



10. [21 ]Vint Cerf's Twitter account hacked, suspended for 
spam 

11. [22]Gmail, Yahoo and Hotmail systematically abused by 
spammers 

12. [23]IE7 XML parsing zero day exploited in the wild 

13. [24]FourXSS flaws hit Facebook 

14. [25]Thousands of legitimate sites SQL injected to serve 
IE exploit 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2QQ8/12/summarizin a- 
zero-da vs- posts-for.html 

3. http://ddanchev.blo as pot.com/20Q8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

4. http://ddanchev.blo as pot.com/2QQ8/lQ/summarizin a- 
zero-da vs- posts-for.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

6. http://ddanchev.blo as pot.com/20Q8/Q8/summarizin a- 
zero-da vs- posts-for- i ul v.html 

7. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=Q&s=Q&o=l&mode=rss 


8. http://feeds.feedburner.com/zdnet/securit v 

9. http://blo a s.zdnet.com/securit v/? p = 2260 

10. http://blo a s.zdnet.com/securit v/? p=2271 





































11. http://blo a s.zdnet.com/securit v/? o=2293 

12. http://blo a s.zdnet.com/securit v/? o=2240 

13. http://blo a s.zdnet.com/securit v/? o=2246 

14. http://blo a s.zdnet.com/securit v/? o=2253 

15. http://blo a s.zdnet.com/securit v/? o=2257 

16. http://blo a s.zdnet.com/securit v/? o=2260 

17. http://blo a s.zdnet.com/securit v/? o=2264 

18. http://blo a s.zdnet.com/securit v/? o=2271 

19. http://blo a s.zdnet.com/securit v/? o=2275 

20. http://blo a s.zdnet.com/securit v/? o=2281 

21. http://blo a s.zdnet.com/securit v/? o=2287 

22. http://blo a s.zdnet.com/securit v/? o=2293 

23. http://blo a s.zdnet.com/securit v/? p=2296 

24. http://blo a s.zdnet.com/securit v/? o=2308 

25. http://blo a s.zdnet.com/securit v/? o=2328 
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Dissecting the Bogus Linkedln Profiles Malware 
Campaign (2009-01-07 15:36) 

Nice catch, in the sense that [l]Linkedln was among the 
very few social networking sites left untouched by 















































cybercriminals in 2008. With Linkedln's staff actively 
removing the close to a hundred bogus profiles, let's dissect 
the campaign by exposing all the participating malware 
domains, the redirectors, the droppers' detection rates and 
the rest of the domains in their portfolio. 

Domains used on the bogus profiles : 

sextapegirls .net (88.214.200.5) 
celebsvids .net (216.195.57.47) 
katynude .com (216.195.57.47) 
delshikandco .com (82.103.132.114) 
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All the internal pages at sextapegirls .net (sextapegirls 
.net/1.html; sextapegirls .net/2.html; sextapegirls 

.net/3.html; sextapegirls .net/4.html; sextapegirls 
.net/5.html) redirect to hotvidz .info/5.html 

(88.214.200.5) as well as all the internal pages at 
celebsvids .net where [2]TubePlayer.ver.6.20885.exe is 
served as a fake video player. 

Among the rest of the domains used, katynude 
.com/1.html (216.195.57.47) redirects to quickly-porn- 
tube 

.net/get.php?id=20885 &p=74 (69.59.21.247) which 
then redirects to tube-4you-best .com/xxplay.php? 
id = 20885 


(69.59.21.247) where 2009download-best-soft 
.com/TubePlayer. ver.6-20885.exe (94.247.3.228) is 
again served. 

The fourth domain used on the bogus Linkedln profiles, 

delshikandco .com/movies/Iinkedin.html 

(82.103.132.114) once deobfuscated leads to delshiktds 
.com/in.cgi?6 (64.27.28.225), a traffic management kit's 
redirection point which redirects to delshiktds 
.com/in.cgi?ll, celebs-online2009 .com/video.php 
(64.27.28.225) and megaporn-tubesonline 
.com/xplays.php?id = 88 where 
codecdownload.filesstorage4you 
.com/exclusivemovie.88.exe [3]is served next to 
codecdownload.viewersoftwarearchive 
.com/exclusivemovie.O.exe (94.247.3.232) which a copy 
of 

[4]Win32/Renos. 
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The downloader then phones back to : 
dasgdasg .net (91.205.96.12) 

new-york-images .com (89.149.207.114) 
future-pictures .com (94.247.2.117) 
download-everything.com (69.46.16.99) 
archiveviewsoftware.com 


193.142.244.17 


Naturally, the people behind this malware campaign have 
centralized the rest of the malicious domains by 

parking them at the very same IPs used in the redirectors. 
The domains are pretty descriptive themselves, and it's also 
worth pointing out that they intend to start introducing 
newly registered fake security software ones: 

[5]94.247.3.228 

files-upload-21 .com 
downloabsecureherel .com 
downloabsecurehere2 .com 
downloabsecurehere3 .com 
downloabsecurehere4 .com 
fast-download-base-free .com 
download-all4free .com 
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download-softarch .com 
dwnld-files .com 
get-frsh-files .com 
download-fls.com 
downloadall-soft-now .com 


downloadallsoft-now. com 



download-allsoftnow .com 


downloadallsoftnow .com 
soft-4-you-download .net 
get-files-4free .net 
download-top-software .net 
files-download-arch .net 
download-files-bak .net 
download-files-plus .net 
pure-download-new .net 
[6]69.59.21.247 
uni-tube-911 .com 
bestmytubeonilnel .com 
bestmytubeonilne2 .com 
bestmytubeonilne3 .com 
mybest-pov-tube .com 
my-bestpov-tube .com 
u-tube-verse .com 
tubeger .com 
tube-4-free-center .com 
tube-4you-best .com 



tube-hu .com 


tube-more-sex .com 
quickly-porn-tube .net 
fast-xxx-tube .net 
tube-chick .net 
tube-free-4-adult .net 
antivir-av-toolz .net 
scanner-pc-toolz .net 
av-scan-soft .net 
av-scan-here .net 
anti-vir-toolz .com 
freenonline-scannerw .com 
freenonline-scanner .com 
av-mc-antivir-checker .com 
freenonline-scannera .com 
bestmyscanneronilne3 .com 
bestmytubeonilne3 .com 
bestmyscanneronilne2 .com 
bestmytubeonilne2 .com 
[7]94.247.3.232 



viewerdownload2009 .com 
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freedownload2009 .com 
filesstorage2009 .com 
exefileshere2009 .com 
bestfilesarchive2009 .com 
softwareviewers2009 .com 
filesinnet4you2009 .com 
downloadfilesservice .com 
jetexestorage .com 
clickandgetfile .com 
secretfilesstoragehere .com 
x-filesstorehere .com 
filesportalhere .com 
exefileshere .com 
extrafilesonlyhere .com 
pornexearchive .com 
viewerarchive .com 
crystalfilesarchive .com 
download2009exe .com 



3d-softwareportal .com 
downloadfilesportal .com 
exesoftportal .com 
software porta I exefi I es .com 
becollectionoffiles .com 
extracoolfiles .com 
freepornclips2u .com 
filesstorage4you.com 
downloadexenow .com 

The same people, the same tactics, different domains and 
netblocks used. 

1. http://blo a .trendmicro.com/bo a us-lmkedin-profiles- 
harbor-malicious-content/ 

2 . 

https://www.virustotal.com/analisis/377260b69eQ345c258Q 

2d439bcle628a 

3. 

https://www.virustotal.com/analisis/6a6adbd5f5bcbead9fa8 

be3fdcf27659 

4. 

http://www.virustotal.com/analisis/a351529fd685a898174b 

d6ff3b9Qa82b 


5. http://whois.domaintools.eom/94.247.3.228 














6. http://whois.domaintools.com/69.59.21.247 

7. http://whois.domaintools.eom/94.247.3.232 
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Domains Serving Internet Explorer Zero Day in 
December (2009-01-14 21:21) 

December, 2008 was marked by yet another [l]widespread 
Koobface campaign, next to a [2]massive SQL injection 

attack targeting Asian countries and serving the ex-Internet 
Explorer XML parsing zero day. Monitoring the attack closely 
and issuing abuse notices, it's worth pointing out that only 
two domains were SQL to target international sites, with the 
rest injected at Asian sites only. 

This tactic once again demonstrates the dynamics of the 
international underground communities whose un¬ 
derstanding of valuable stolen goods greatly differ based on 
the local market's demand for a particular item. For 
instance, stolen accounting data for a MMORPG is more than 
access to a stolen banking account on the Chinese 

underground marketplace, and exactly the opposite on the 
Russian underground marketplace. Interestingly, if the IE 

zero day was first discovered and abused in a targeted 
nature by Russian parties the very last thing they'd be 
serving is a password stealer for a MMORPG given the far 
more valuable from their perspective crimeware. Here are all 
of the SQL injected domains participating in the attack, with 
two Chinese groups responsible for them : 
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SQL injected domains currently active: 

- c.nuclear3 .com/css/c.js (121.10.108.161; 
121.10.107.233:70.38.99.97) also SQL injected as c. 

%6Euclear3 

.com/css/c.js in a cheap attempt to avoid detection 

- zs.gcp.edu .cn/z.js redirects to alimcma 

.3322.org/a0076159/a07.htm (121.12.173.218) and 
then to tongjitj.3322 

.org/tj/a 07.htm 

- w.94saomm .com/js.js (58.53.128.177) redirects to 

clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47) 

- idea21.org/h.js (66.249.130.142) redirects to idea21 
.org/indexl.htm 

- yrwap .cn/h.js (59.63.157.71) redirects to kodim 
.net/CONTENT/faq.htm 

Currently down, for historical preservation purposes and 
case building as these were exclusively serving the 

ex-IE zero day in December, 2008: 

17gamo .com/l.js 
s4d. in/h.js 
dbios .org/h.js 
armsart .com/h.js 



acglgoa .com/h.js 
9i5t .cn/a.js 
qqll7cc .cn/k.js 
s800qn .cn/csrss/w.js 
twwen .com/l.js 
s.shunxing .com.cn/s.js 
koll8 .cn/a.js 
s.shunxing .com.cn/s.js 
17aq .com/17aq/a.js 
s.kaisimi .net/s.js 
sshanghai .com/s.js 
s.ardoshanghai .com/s.js 
s.cawjb .com/s.js 
mysy8 .com/l/l.js 
mvoyo .com/l.js 
nmidahena .com/l.js 
tjwh202.162 .ns98.cn/l.js 

Thankfully, the IE zero day attack in December is an 
example of a "wasted" zero day, with the potential for abuse 
not taken advantage of. 


Related posts: 



[3] Massive SQL Injection Attacks - the Chinese Way 

[4] Yet Another Massive SQL Injection Spotted in the Wild 

[5] Obfuscating Fast-fluxed SQL Injected Domains 

[6] Smells Like a Copycat SQL Injection In the Wild 

[7] SQL Injecting Malicious Doorways to Serve Malware 

[8] SQL Injection Through Search Engines Reconnaissance 

[9] Stealing Sensitive Databases Online - the SQL Style 

[10] Fast-Fluxing SQL injection attacks executed from the 
Asprox botnet 

[lljSony PlayStation's site SQL injected, redirecting to 
rogue security software 

[12]Redmond Magazine Successfully SQL Injected by 
Chinese Flacktivists 

1. http://ddanchev.blo as DOt.com/2QQ8/12/dissectin a- 
koobface-worms-december.html 

2. http://blo a s.zdnet.com/securit v/? p = 2328 
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3. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
ini ection-attacks-chinese.html 

4. http://ddanchev.blo as pot.com/2QQ8/05/vet-another- 
massive-sal-in i ection.html 

5. http://ddanchev.blo as pot.com/20Q8/Q7/obfuscatin a -fast- 
f1uxed-sal-in i ected.html 























6. http://ddanchev.blo as DOt.com/2QQ8/07/smells-like- 
cop vcat-sal-in i ection-m.html 


7. http://ddanchev.blo as pot.com/2QQ8/Q7/sal-in i ectin a- 
malidous-doorwavs-to.html 

8. http://ddanchev.blo as pot.com/2QQ7/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q5/stealin a- 
sensitive-databases-online-sal.html 

10. http://blo a s.zdnet.com/secu rit v/? p=1122 

11. http://blo a s.zd net.com/securi t v/? p=1394 

12. http://blo a s.zdnet.com/securit v/? p=1118 
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Pro-Israeli (Pseudo) Cyber Warriors Want your 
Bandwidth (2009-01-15 00:00) 

In the very same fashion in which [l]Chinese cyber warriors 
utilized the M [2]people's information warfare concept" 

against [3]CNN, followed by [4]Russia vs Estonia 
cyberattack, the [5]Russia vs Georgia cyberattack, and the 
[6]Electronic Jihad grassroots [7]movement attempt, pro- 
Israeli (pseudo) cyber warriors have released an application 
which once run would allow them to direct the supporters' 
bandwidth to well known pro-Hamas web sites. 

Each of these campaigns is orbiting around a unique 
application released on behalf of the coordinators. In 

































China vs CNN campaign it was anticnn.exe, in the 
[8]Electronic Jihad campaign it was e-jihad.exe, and in the 
pro-Israeli hacktivists vs Hamas it is [9JPatriotlnstaller.exe. 
Excluding anticnn.exe which was working, both e- 
jihad.exe and Patriotlnstaller.exe act as examples of 
how people's information warfare execution goes wrong. 

How come? The tools failed to deliver what they promised. 
An idle bot that I left upon becoming a patriotic supporter of 
the cause, indicated that the participants are basically 
idling, without any active DDoS attacks against a particular 
pro-Hamas web site. 
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Who are the people behind the project? 

" We are a group of students who are tired of sitting around 
doing nothing while the citizens of Sderot and the cities 
around the Gaza Strip are suffering, NO MORE! We will not 
sit around and watch our children fear and cry out for help 
while the missiles are flying over their heads! We say NO 
MORE! 

We created a project that unites the computer capabilities 
of many people around the world. Our goal is to 

use this power in order to disrupt our enemy's efforts to 
destroy the state of Israel. The more support we get, the 
efficient we are! 

You download and install the file from our site. The file is 
harmless to your computer and could be immediately 
removed. There is no need for identification of any kind - 
anonymity guaranteed !" 


The Help-lsrael-Win movement is naturally feeling the heat 
as well, and is constantly switching locations, with its 
currently active one - borabora.globat.com/ help-israel- 
win.com. The following are related domains used by the 
pro-Israeli cyber warriors: 

ronshalit.dot5hosting.com 

help-israel-win.com 

help-israel-win.tk 

help-israel-win.info 
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helpisraelwin.com 

In times when [10]DDoS attacks can be cost-effectively 
outsourced, it's pretty surprising that all the cyber warriors - 

excluding the ones in the Russia vs Georgia cyberattack - 
aren't taking advantage of the concept, but are relying on 
grassroots movement. The reason for this is the lack of 
contact points between the sellers of the DDoS services and 
the potential buyers, at least for the time being. 

Monitoring of the pro-Israeli patriot campaign would 
continue, with updates posted as soon as something 
actually happens. 

1. http://ddanchev.blo as oot.com/2QQ8/Q4/chinese- 
hacktivists-wa aina- peoples.html 

2. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
information-warfare-concept.html 












3. http://ddanchev.blo as pot.com/2QQ8/Q4/ddos-attack- 
aa ainst-cnncom.html 


4. http://ddanchev.blo as pot.com/2Q07/Q8/vour-point-of- 
view-reauested.html 

5 . httP://blo a s.zdnet.com/securit v/? p = 167Q 

6. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- i fhad- 
v30-what-cvber- f f had.html 

7. http://ddanchev.blo as pot.com/2QQ7/Q8/cvber- i ihadist- 
dos-tool.html 


8. http://ddanchev.blo as pot.com/2Q07/ll/electronic- ii hads- 
tara ets-Hist.html 

9. 

http://www.virustotal.com/analisis/a26ec3Qdc382ebdQcc6b 

4fQdl519b967 


10. http://ddanchev.blo as pot.com/2QQ7/lQ/botnet-on- 
demand-service.html 
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Embedding Malicious IFRAMEs Through Stolen FTP 
Accounts - Part Two (2009-01-19 17:29) 

The practice of using stolen or data mined - from a botnet's 
infected population - FTP accounts is nothing new. In March, 
2008, a tool originally published in February, 2007, got 
some publicity once [ 1 ]detaiIs of stolen FTP accounts 
belonging to Fortune 500 companies were found in the wild. 
Interestingly, none of the companies were serving 


































malicious iFrames on their compromised hosts back then. 

Despite the fact that 2008 was clearly [2]the year of the 
massive SQL injection attacks hitting everyone, everywhere, 
massive iFrame injection tools through stolen FTP accounts 
are still in development. Take for instance this very latest 
console/web interface based proprietary one currently 
offered for sale at $30. 
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Its main differentiation factors according to the author are 
the pre-verification of the accounting data in order to 
achieve better speed, advanced logs management and 
update feature allowing the malicious campaigner to easily 

introduce new iFrame at already iFrame-ED hosts through 
the compromised FTP accounts, and, of course, the what's 
turning into a commodity feature in the face of long-term 
customer support. In this case, that would be a hundred FTP 
accounting details to get the customers accustomed to the 
tool's features. 

Interestingly, at least according to the massive SQL 
injections taking place during the entire 2008, iFrame-ing 
has reached its decline stage, at least as the traffic 
acqusition/abuse method of choice. And with SQL injections 
growing, this very same FTP account data is serving the 
needs of the blackhat search engine optimizers bargaining 
on the basis of a pagerank. 

1. http://ddanchev.blo as DOt.com/2008/Q3/embeddin a- 
malidous-iframes-throu a h.html 






2. http://ddanchev.blo as pot.com/2QQ9/Ql/domains-servin a- 
internet-explorer-zero.html 
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A Diverse Portfolio of Fake Security Software - Part 
Fourteen (2009-01-19 22:03) 

The following currently active fake security software 
domains have been included within ongoing blackhat SEO 

campaigns, among the many other tactics that they use in 
order to attract traffic to them. Needless to say that the 
Diverse Portfolio of Fake Security Software domains series is 
prone to expand throughout the year. 

rapidspywarescanner .com (78.47.172.67) 

live-antiviruspc-scan .com 

professional-virus-scan .com 

proantiviruscomputerscan .com 

bestantivirusfastscan .com 

premium-advanced-scanner .com 

Domain owner: 

Name: Aennova M Decisionware 

Organization: NA 

Address: Rua Maestro Cardim 1101 cj. 112 
City: Sgo Paulo 
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Province/state: NA 
Country: BR 
Postal Code: 01323 
Phone: +5.5113245388 
Fax: +5.5113245388 
Email: victor@aennovas.com 
rapidantiviruspcscan .com (78.46.216.237) 
securedserverdownload .com 
securedonlinewebspace .com 
securedupdateupdatesoftware .com 
bestantivirusdefense .com 
live-pc-antivirus-scan .com 
best-antivirus-protection .com 
proantivirusprotection .com 
best-anti-virus-scanner .com 
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best-antivirus-scanner .com 
bestantivirusproscanner .com 


bestantivirusfastscanner .com 
protectedsystemupdates .com 
liveantispywarescan .com 
live-antispyware-scan .com 
internet-antispyware-scan .com 
Domain owner: 

Vadim Selin anzo45@freebbmail.com 
+ 74952783432 fax: +74952783432 
ul. Vorobieva 98-34 
Moskva Moskovskay oblast 127129 
ru 

antivirus-scan-your-pc .com (75.126.175.232; 
209.160.21.126) 

bestantivirusdefence .com 

best-antivirus-defense .com 

premiumadvancedscan .com 

bestantivirusproscan .com 

best-antivirus-pro-scanner .com 

internetprotectedpayments .com 


Domain owner: 



Name: Nikolai V Chernikov 


Address: yl. Kravchenko 4 korp. 2 kv. 17 
City: Moskva 
Province/state: NA 
Country: RU 
Postal Code: 119334 
Email: promasteryouth@gmail. com 
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It's interesting to point out that so far, none of the hundreds 
of typosquatted domains is taking advantage of a legitimate 
online payment processor. Instead, they not only self-service 
themselves, but offer to process payments for other 
participants in the affiliate network. In respect to these 
bogus domains, we have the following payment processors 
working for them : 

secure, softwaresecuredbilling 

.com 

(209.8.45.122) 

registered 

to 

Viktor 


Temchenko 


(TemchenkoVik- 

tor@googlemail.com) 

secure.goeasybill .com (209.8.25.202) registered to 
Chen Qing (dophshli@gmail.com) 

secure-plus-payments .com (209.8.25.204) registered to 
John Sparck (sparckOOO@mail.com) 

Related posts: 

[1] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[2] A Diverse Portfolio of Fake Security Software - Part Twelve 

[3] A Diverse Portfolio of Fake Security Software - Part Eleven 

[4] A Diverse Portfolio of Fake Security Software - Part Ten 

[5] A Diverse Portfolio of Fake Security Software - Part Nine 

[6] A Diverse Portfolio of Fake Security Software - Part Eight 

[7] A Diverse Portfolio of Fake Security Software - Part Seven 

[8] A Diverse Portfolio of Fake Security Software - Part Six 

[9] A Diverse Portfolio of Fake Security Software - Part Five 

[10] A Diverse Portfolio of Fake Security Software - Part Four 
[11 ]A Diverse Portfolio of Fake Security Software - Part Three 

[12] A Diverse Portfolio of Fake Security Software - Part Two 

[13] Diverse Portfolio of Fake Security Software 



1. http://ddanchev.blo as pot.com/2QQ8/ll/diverse-portfolio- 
of-fake-securitv 12.html 

2. http://ddanchev.blo as pot.com/20Q8/ll/diverse-portfolio- 
of-fake-securitv.html 
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3. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse-portfolio- 
of-fake-securitv 28.html 

4. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse-Portfolio- 
of-fake-securitv 22.html 

5. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse-portfolio- 
of-fake-secuiitv 16.html 

6. http://ddanchev.blo as pot.com/20Q8/lQ/diverse-portfolio- 
of-fake-securitv.html 

7. http://ddanchev.blo as pot.com/20Q8/09/diverse-portfolio- 
of-fake-securitv 30.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse-Portfolio- 
of-fake-securitv 24.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse-portfolio- 
of-fake-securitv.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv_25.html 

11. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv 20.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv.html 



























































13. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 
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Exposing a Fraudulent Google AdWords Scheme 
(2009-01-21 16:01) 

UPDATE: Conduit's Director of Strategic Marketing Hai 
Habot contacted me in regard to the campaign. Comment 
published at the bottom of the post. 

Despite my personal reservations towards the use of Google 
sponsored ads as an emerging traffic acquisition 

tactic [l]on behalf of scammers and cybercriminals - 
blackhat SEO is getting more sophisticated - Google 
sponsored ads are whatsoever still taken into consideration. 
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The fraudulent AdWords scheme that I'll discuss in this post, 
is an example of a Dominican scammer 

(ayuda@shareware.pro; Sms Telecom LLC, Roseau, 
St. George (00152) Dominica Tel: +117674400530) 

who's 

hijacking search queries for popular software applications, 
taking advantage of geolocation and http referer checks, in 
order to deliver a customized toolbar while earning revenue 
part of the [2]Conduit Rewards Program. 
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Naturally, the traffic acquisition tactic and the brandjacking 
of legitimate software are against the rules of both Google's, 
and Conduit's terms of use. Interestingly, out of all the 
adware-ish toolbars and affiliate based networks out there, 
he's chosen to participate in an affiliate network without a 
flat rate on per toolbar installation basis. Despite the efforts 
put into the typosquatting, the descriptive binaries on a 
country basis, and the localization of the sites in several 
different languages, he's failing to monetize the scam in the 
way he could possibly do compared to "fellow colleagues" of 
his. 

Brandjacked software domains part of the AdWords 
campaign : 

adobe-reader-co .com 
adware-co .com 
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flash-player-co .com 
paint-shop-pro .com 
winrar-co .com 
ccleaner-co .com 
firefox-co .com 
avi-codec-co .com 
guitar-pro-co .com 


codec-co .com 


opera-co .com 
messenger-comp .com 
servicepack-co .com 
azureus-co .com 
emulegratis .es 
messenger-plus-co .com 
zone-alarm-co .com 
directx-co .com 
bittorrent-co .com 
media-player-co .com 
emulefree .com 
divx-co .com 
office-co .com 
virtualdj-co .com 
zattoo-co .com 
clonecd-co .com 
tuneup-co.com 
lphant-co.com 
explorer-co.com 



amule-co .com 


messenger75-co .com 
limewire-comp .com 
lite-codec-co .com 
power-dvd-co .com 
messenger-plus-live-co .com 
reamweaver-co .com 
aresgratis .net 
vuze-co .com 
emuleespana .es 
regcleaner-co .com 
paint-net-co .com 
download-acelerator .com 
windownloadweb .com 
xp-codecpack-co .com 

The AdWords campaigns are spread across different local 
Google sites, and are targeting a particular local de¬ 
mographic only. Moreover, if the end user isn't coming from 
a sponsored ad, the download link on each and every of the 
participating sites is linking to the official site of the 
brandjacked software, and if he's coming from where he's 
supposed to be coming the software bundle including the 



revenue-generating toolbar is served in the following way : 

firefox-co .com/downloads/installer-5-firefox-uk.exe 

winamp-co .com/downloads/installer-37-winamp- 
uk.exe 
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winamp-co .com/downloads/installer-37-winamp- 
nl.exe 

zone-alarm-co .com/downloads/installer-18- 
zonealarm-nl.exe 

servicepack-co .com/downloads/installer-14-service- 
pack-3-uk.exe 

divx-co .com/downloads/installer-25-divx-uk.exe 

Upon installation the toolbar generates revenue for the 
campaigner, and given the fact that a single DIY tool¬ 
bar can be associated with a single rewards account, the 
campaigner is also maintaining a modest portfolio of 

toolbars. For instance : 

peer2peerne.media-toolbar.com - 

UserlD=UN20090120111936062 

peer2peeren.media-toolbar.com - UserlD =598F9353- 
BD10-47B9-8B40-29B33AD7A3E4 

The bottom line is that despite the fact that the campaigner 
is acquiring lots of traffic through the brandjacking, and is 
definitely breaking even based on the number of toolbars 
installed, he's failing to monetize the fraud scheme, at least 
for the time being. 



UPDATE: Hai Habot's comments -" The information you 
have provided will help us track the publisher and I will 
personally see that our compliance team looks into it ASAP. 

As you may know, Conduit does not have full control over 
the promotional activity of the publisher (i.e. his fraudulent 
use of Google Ad Words or any other usage of third party ads 
or links) however, the activity described in your post is 
clearly in violation of our terms of use (section V of the 
Conduit Publisher Agreement) and our compliance team can 
take different measures against this publisher including the 
removal of the toolbar from our platform. 

The Conduit Rewards program is not a standard affiliate 
network. It offers incentives to publishers based on their 
toolbar's long term performance. I didn't look into the stats 
of this specific publisher yet but I can assure you that such 
spam traffic would generate very little (if any) rewards. In 
any case - we will make sure that the rewards account of 
this publisher will be disabled until this compliance issue is 
resolved. " 

1. http://blo a s.zdnet.com/securit v/? p = 2405 

2. http://www.conduit.com/ 
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Embassy of India in Spain Serving Malware (2009-01- 
27 11:31) 

The very latest addition to the "embassies serving malware" 
series is the Indian Embassy in Spain/Embajada de la India 
en Espana (embajadaindia.com) [l]which is currently 






iFrame-ED - original infection seems to have taken place 
two weeks ago - with three well known malicious domains. 

Interestingly, the malicious attackers centralized the 
campaign by parking the three iFrames at the same IP, 

and since no efforts are put into diversifying the hosting 
locations, two of them have already been suspended. Let's 
dissect the third, and the only currently active one. iFrames 
embedded at the embassy's site: 

msn-analytics .net/count.php?o=2 

pinoc .org/count.php?o=2 

wsxhost .net/count.php?o=2 

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 

202.73.57.6 /mito/?t=2 and then to 202.73.57.6 

/mito/?h = 2e where the binary is served, [2]a compete 
analysis of which has already been published. The rest of 
the malicious domains - registered to 
palfreycrossvw@gmail.com - parked at [3]mito's IP 
appear to have been participating in iFrame campaigns 
since August, 2008 : 

google-analyze .cn 

yahoo-analytics .net 

google-analyze .org 

qwehost .com 

zxchost .com 


odile-marco .com 



edcomparison .com 
fuadrenal .com 
rx-white .com 

As always, the embassy is iFramed "in between" the rest of 
the remotely injectable sites part of their campaigns. 

Related assessments of embassies serving malware: 

[4] Embassy of Brazil in India Compromised 

[5] The Dutch Embassy in Moscow Serving Malware 
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[6] U.S Consulate in St. Petersburg Serving Malware 

[7] Syrian Embassy in London Serving Malware 

[8] French Embassy in Libya Serving Malware 

1. http://blo a .ismaelvalenzuela.com/20Q9/01/26/embass v- 
of-india-in-spain-found-servin a -remote-malware-throu a 

h-iframe-attack/ 

2. http://mad.internetPol.fr/archives/3-Etude-de-cas- 
lnfection-rootkit-TDSS.html 

3. http://whois.domaintools.eom/202.73.57.6 

4. http://ddanchev.blo as pot.com/2008/ll/embassv-of-brazil- 
in-india-compromised.html 

5. http://ddanchev.blo as pot.com/20Q8/01/dutch-embass v- 
in-moscow-servm a -malware.html 





















6. http://ddanchev.blo as DOt.com/20Q7/Q9/us-consulate-st- 
petersbur a -servin g .html 


7. http://ddanchev.blo as pot.com/2007/Q9/svrian-embass v- 
in-london-servin a .html 

8. http://ddanchev.blo as pot.com/20Q7/12/have-vour- 
malware-in-timelv-fashion.html 
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Poisoned Search Queries at Google Video Serving 
Malware (2009-01-28 17:04) 

UPDATE: A recently published article at [l]the Register by 
John Leyden incorrectly states that" [2]researchers at Trend 
Micro discovered that around 400,000 queries returning 
malicious results that lead to a single redirection point' 
wherease the researchers in question went public with the 
attack data on the [3]27th of January, and then again on the 
[4]28th of January. 

This isn't the first time the Register shows [5]an oudated 
siatuational awareness, following the [6]two month- 

old coverage of a proprietary email and personal 
information harvesting tool, [7]which I extensively covered 
in between receiving comments from one of the affected 
sites. 

A blackhat SEO-ers group that's been generating bogus link 
farms ultimately serving malware to their visitors 

during the past couple of months, has [8]recently started 
poisoning Google Video search queries and redirecting the 

















traffic to a fake flash player using the Porn Tube template. 
([9]The Template-ization of Malware Serving Sites). 

Approximately 400,000+ bogus video titles have already 
been crawled by Google Video. 

Instead of sticking to a proven traffic acquisition tactic in 
the face of adult videos, the campaigns are in fact 
syndicating the titles of legitimate YouTube videos in order 
to populate the search results. What's also worth pointing 
out that is that once they start duplicating the content - like 
they're doing with specific titles - based on their 21 

bogus publisher domains, they can easily hijack each and 
every of the first 21 results for a particular video. The fake 
flash player redirection is served only when the visitor is 
coming from Google Video, if he or a researcher isn't based 
on a simple http referer check, a legitimate YouTube video is 
served. 

Upon clicking on the video from any of their publisher 
domains, the user is taken to porncowboys 
.net/continue.php (94.247.2.34) then forwarded do 

xfucked .org/video.php?genre = babes &id=7375 
(94.247.2.34) to have the binary served at trackgame 
.net/download/FlashPlayer.v3.181.exe and qazextra 
. com/download/FlashPlayer. v3.181.exe 

[10]Detection rate for the flash player. 
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The malware publisher domains crawled by Google Video 
redirecting to the bogus flash player: 


nudistxxx .net - 22,000 bogus video titles 
realsexygirls .net - 21,000 bogus video titles 
trulysexy .net - 27,100 bogus video titles 
madsexygirls .net - 18,900 bogus video titles 
mypornoplace .net - 25,700 bogus video titles 
hotcasinoxxx .net - 28,900 bogus video titles 
hotgirlstube .net - 37,900 bogus video titles 
xgirlplayground .com - 50,600 bogus video titles 
puresextube .net - 20,700 bogus video titles 
xxxtube4u .com - 11,400 bogus video titles 
sexygirlstube .net - 63,100 bogus video titles 
xporntube .org - 12,800 bogus video titles 
xxxgirls .name - 33,500 bogus video titles 
girlyvideos .net - 37,500 bogus video titles 
mytubecentral .net - 38,900 bogus video titles 
puresextube .net - 20,700 bogus video titles 
teencamtube .com - 18,400 bogus video titles 
celebtube .org - 41,100 bogus video titles 
truexx .com - 16,900 bogus video titles 
hottesttube .net - 28,100 bogus video titles 



hotgirlsvids .net - 27,200 bogus video titles 

watch-music-videos .net - 14,900 bogus video titles 

marketvids .net - 29,900 bogus video titles 

gamingvids .net - 7,930 bogus video titles 

hentaixxx .info - 25,500 bogus video titles 

The campaign is currently in a cover-up phrase since 
[ll]discussing it yesterday and notifying Google with all 

the details. But the potential for abuse remains there. 
Timeliness vs comphrenesiveness of a malware campaign? 
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Following this example of comprehensivess, take into 
consideration the timeliness in the face of October 2008's 
campaign when [12]hot Google Trends keywords were 
automatically syndicated in order to hijack search traffic 

[13]which was then redirected to several hundred 
automatically registered [14]Windows Live blogs whose 
high 

pagerank made it possible for the blogs to appear within the 
first 5 results. 

1 . 

http://www.there a ister.co.uk/2QQ9/Q2/Q2/ a oo a le video sear 
ch poisoned/ 

2. http://blo a .trendmicro.com/ a oo a le-video-searches-be8n a- 
poisoned 


3. http://blo a s.zdnet.com/securit v/? p = 2433 













4. http://ddanchev.blo as DOt.com/2QQ9/01/poisoned-search- 
a ueries-at- a oo a le-video.html 

5. http://ddanchev.blo as oot.com/20Q8/Q7/risks-of-outdated- 
situational-awareness.html 

6 . 

http://www.there a ister.co.uk/2Q08/Q7/07/ i obsite_data_hackh 

arvestin a hack/ 

7. http://blo a s.zdnet.com/securit v/? p = 1085 

8. http://blo a s.zdnet.com/securit v/? p = 2433 

9. http://ddanchev.blo as pot.com/2QQ8/Q7/template-ization- 
Qf-malware-servin a .html 

10 . 

http://www.virustotal.com/analisis/346548a92al22e3dc70f 

d!2bcd316a7e 


11. http://blo a s.zdnet.com/securit v/? p=2433 

12. http://blo a s.zdnet.com/securit v/? p=1995 

13. http://ddanchev.blo as pot.com/2QQ8/lQ/svndicatin a- 
g oo a le-trends-kevwords-for.html 

14. 

http://www.filefactorv.eom/file/4faafd/n/ro a ue blo asaooale 
trends txt 
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The Template-ization of Malware Serving Sites - Part 
Two (2009-02-02 15:49) 

The growing use of "visual social engineering" in the form of 
legitimately looking codecs, flash player error screens, adult 
web sites, and YouTube windows in order to forward the 
infection process to the end use himself, is the direct result 
of the ongoing [l]template-ization of malware serving sites. 
This standardizing is all about achieving efficiency, in this 
case, coming up with high-quality and legitimately looking 
templates impersonating the average Internet user by 
enjoying the clean reputation of the impersonated service in 
question. 

The attached screenshot of very latest DIY windows media 
player with pretty straightforward instructions on 

how to modify the timing of the "missing codec" pop-up, is a 
great example of how cybercriminals rarely value the 
intellectual property of their fellow colleagues. The 

DIY template has in fact been ripped-off from a competing 
affiliate network participant (currently active xxxporn-tube 
.com/123/2/FFFFFF/3127/TestCodec/Best), its images 
hosted at ImageShack, and the codec released for everyone 
in the ecosystem to use - and so they will. 
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Interestingly, within the mirrored copy now tweaked and 
distributed for free using free image hosting services as 
infrastructure provider for the layout, there are also leftovers 
from the original campaign template that they mirrored 


- which ultimately leads us to [2]DAT0RU EXPRESS SERVISS 
Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv [3]ln the wake of 

[4]UkrTeleGroup Ltd's [5]demise - don't pop the corks just 
yet since the revenues they've been generating for the past 
several years will make it much less painful - a significant 
number of UkrTeleGroup customer, of course under 
domains, have been generating quite some malicious 
activity at zlkon.lv for a while. 

Portfolio of fake codecs serving domains parked at the 
original mirrored domain's IP : 

xxxporn-tube .com (93.190.140.56) 

uporntube-07 .com 
tubeporn08 .com 
porn-tube09 .com 
tubeporn09 .com 
xxxporn-tube .com 
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allsoft-free .com 
all-softfree .com 
Isoftfree .com 
porntubenew .com 


Download locations : 



brakeextra .com/download/FlashPlayer.v..exe 
(94.247.2.183) 

brakeextra .com/download/TestCodec.v.3.127.exe 
Entire portfolio of domains parked at (94.247.2.183) : 

brakeextra .com 
thebestporndump2 .com 
fire-extra .com 
xp-extra .com 
delfiextra .com 
qazextra .com 
track-end .com 
fire-movie .com 
extrabrake .com 
crack-serial-keygen-online .com 
extra-turbo .com 
extra-nitro .com 
apple-player .com 
meggauploads .com 
soft-free-updates .com 
quicktimesoft .com 



cleanmovie .net 


nitromovie .net 
trackgame .net 
quotre .net 
rexato .net 
spacekeys.net 

Dots, dots dots, trackgame .net is once again proving the 
multitasking mentality of cybercriminals these days - 

it's one of the download locations participating in the recent 
[6]Google Video search queries poisoning attacks. 

1. http://ddanchev.blo as pot.com/2QQ8/Q7/temolate-ization- 
of-malware-servin a .html 

2. http://pandalabs.pandasecuntv.com/archive/New- 
Ro a ue 3AQQ -Total-Defender.as px 

3. 

http://voices.washin a tonpost.com/securitvfix/2QQ9/Ql/troub 

led_ukrainian_host_sideli.html 

4. http://ddanchev.blo as pot.com/2008/02/ a eolocatin a- 
malicious-isps.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q7/lazv-summer- 
davs-at-ukrtele a roup-ltds.html 

6. http://ddanchev.blo as pot.com/2QQ9/Ql/poisoned-search- 
a ueries-at- a oo a le-video.html 
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Copycat Web Malware Exploitation Kits Are Still 
Faddish (2009-02-02 16:21) 

The oversupply of web malware exploitation kits is in fact 
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Crimeware in the Middle - Adrenalin (2009-02-03 
14:42) 

What is Adrenalin? Adrenalin is an alternative to [l]the Zeus 
crimeware kit that never actually managed to scale the way 
Zeus did. Following recently leaked copies of what is 
originally costing a hefty $3000, crimeware kit Adrenalin, 
it's time to profile the kit, discuss its key differentiation 
factors from Zeus, and emphasize on why despite the fact 
that it leaked, the kit is not going to take any of Zeus-es 
market share. At least not in its current form. 

In the spirit of the emerging copycat web malware 
exploitation kits, Adrenalin too, isn't coded from scratch, 

but appears that - at least according to cybercriminals 
questioning its authenticity on their way to secure a bargain 
deal when purchasing it - Adrenalin is using portions of 
Corpse's original A-311 release. 

Adrenalin's description and features : 

" Injections system - inserting html/javascript code in the 
page / files / javascript or substitution of one code by 
another injection occurs in the stream mode, ie the 
modified page is loaded at once! 

(not as in the other BHO based trojans with insertions only 
after the full load the page (causing javascript problems) or 


limiting the impact (if for instance the user is on a mobile 
device connection). In our implementation, all works quickly 
and efficiently! 

- The collection of pieces of text from the html pages, as 
one of the modes of operation injector (balance, etc 

- Ftp grabbing - sniffer handles traffic and rip out from 
access to FTP. AH of this is going in an easy to read and 
process the form 

- Collector of certificates. Pulling out of all installed 
certificates including attempts to commit, and certificates 
that are marked as uncrackable. Certificates neatly stored 
for each individual bot. 

- Page redirector, allows you to replace a page or separate 
framing in the network, everything is done com¬ 
pletely unnoticed, substitution of the content occurs in the 
interior windsurfing, and even then the browser and any 
special lotion can be confident that is what you want. 

- Domain redirector, forwards all requests from the original 
site on the fake, address bar, and all references point to the 
original course can also be used to block access to certain 
sites 

- Universal form grabbing puller forms, can strip the data 
from the virtual keyboard these forms can rip off, even with 
not fully loaded pages. As distinguished from the other 
crime ware kits working through the tracking of 46 

users clicking buttons / links it intercepts the data has 
already been formed, which can be seen in the log. Data 



can be collected all the running, and keyword (filter) 


to delete the logs; noise over debris to chat and not 
necessary for the work sites. 

All data are transmitted in encrypted form, which is 
important to bypass the protection, like for instance 
ZoneAlarm's ID Lock. Undoubted advantage is also that the 
logs are sent instantly - in parallel with the data sent to the 
original site. 

No need to worry that the victim will go into an offline and 
accumulated locally log form grabbing are not able to send. 

- Screenshots at the address 

- TAN grabbing. The technology allows to effectively collect 
workers TANs 

- Periodic cleaning of cookies/flashcookie. 

- Grabbing around-the-forms words (without adjustment - 
Adrenalin defines its own algorithm that it must be 
collected, algorithm Improved!) 

- The collection of passwords, for instance Protected 
Storage (IE auto complete, protected sites, outlook) 

- Classic keylogger 

- Cleaning system from BHO trojans, advertising panels and 
other debris. As is well known - are less vulnerable 
machines, and want to put on something more. Cleaning 
system greatly increases the chances of survival 

- Anti-Anti Root kit mechanisms 

- Work on the system without the EXE file 



- User-friendly format logs! Forget the piles of files stupid! 

- 5ocks4 / 5 + http (s) proxy server enabled on the infected 
host 

- Shell + Backshell enabled on the infected host 

- Socks admin 

- Management of each bot individually, or simultaneously 
(Downloading files, updating settings, etc.) 

- Requires PHP on the web based command and control host 

- Ability to output commands (including downloads), taking 
into account the country's bot (function as a resident loader 
statistically for programs) - and other small pleasures" 
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Without the web injection and the TAN grabbing ability, 
Adrenalin is your typical malware kit, whose only 
differentiation factor would have been the customer support 
in the form of the managed undetected malware binaries 

that naturally comes with it. However, it's TAN grabbing 
ability, proprietary collection of data "around the forms", 
stripping content from virtual keyboards and automatic 
certificates collection on per host basis, and its ability to 
clean the system from competing BHO-based trojans, make 
it special. 


How do you actually measure the popularity of crimeware 
kit? Based on the the market share of the crime kit, or based 
on another benchmark? It's all a matter a perspective and a 
quantitative/qualitative approach. For instance, I can easily 
argue that if the very same community was build around 
Adrenalin the way it was built around Zeus 

making the original Zeus release looks like an amateur-ish 
release, perhaps Adrenalin would have scaled pretty fast. 

Some of the community improvements include : 

- [2]Modified Zeus Crimeware Kit Comes With Built-in MP3 
Player 

- [3]Modified Zeus Crimeware Kit Gets a Performance Boost 

- [4]Zeus Crimeware Kit Gets a Carding Layout 
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For the time being, the innovation or user-friendly features 
boosting the popularity of Zeus come from the third-party 
coders improving the original Zeus release. Moreover, not 
only are they improving it, [5]they're also looking for 
vulnerabilities within the different releases, and actually 
finding some. What does this mean? It means that we have 
clear evidence of crimeware monoculture, with a single kit 
maintaining the largest market share. 

With the cybercrime ecosystem clearly embracing the 
outsourcing concept for a while, it shouldn't come as a 

surprise, that [6]botnets running the Zeus crimeware are 
offered for rent at such cheap rates that purchasing the kit 


and putting efforts into aggregating the botnet may seem a 
pointless endeavor in the eyes of a prospective 

cybercriminal, even an experienced one interested in 
milking inexperienced cybercriminals not knowing the real 

value of what they're doing. 

Moreover, speaking of monetization, the attached 
screenshots represent a very decent example of monetizing 

the reconaissance process of E-banking authentication that 
cybercriminals or vendors of crimeware services 

undertake in order to come up with the modules targeting 
the financial institutions of a particular country. Is this 
monetization just "monetization of what used to be a 
commodity good/service 11 as usual taking into consideration 
this overall trend, or perhaps there's another reason for 
monetizing snapshots of E-banking authentication activities 
in order to later on achieve efficiency in the process of 
abusing them? But of course there is, and in that case it's 
the fact that no matter that a potential cybercriminal has 
obtained access to a crimeware kit, its database of injects is 
outdated and therefore a new one has to be either built or 
purchased. 

With Adrenalin now leaked to the general script kiddies and 
wannabe cybercriminals, it's only a matter of 

time until a community is build around it, one that would 
inevitably increase is popularity and prompt others to 50 

introduce new features within the kit. 

Related posts: 
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[8] Localized Bankers Malware Campaign 
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[10] Defeating Virtual Keyboards 

[11] PayPars Security Key 

1. http://ddanchev.blo as oot.com/2QQ8/Q4/crimeware-in- 
middle-zeus.html 

2. http://ddanchev.blo as pot.com/2QQ8/Q9/modified-zeus- 
crimeware-kit-comes-with.html 

3. http://ddanchev.blo as pot.com/2QQ8/ll/modified-zeus- 
crimeware-kit- a ets.html 

4. http://ddanchev.blo as pot.com/2QQ8/ll/zeus-crimeware- 
kit- a ets-cardin a -lavout.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q6/zeus-crimeware- 
kit-vulnerable-to.html 

6. http://ddanchev.blo as pot.com/2QQ8/12/zeus-crimeware- 
as-service- a oin a .html 

7. http://ddanchev.blo as pot.com/2QQ7/ll/tar a eted- 
s pammin a -of-bankers-malware.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q3/localized-bankers- 
malware-campai a n.html 

9. http://ddanchev.blo as pot.com/2Q07/Q5/client-a p plication- 
for-secure-e-bankin a .html 






































10. http://ddanchev.blo as pot.com/2007/Q5/defeatin a- 
virtual-kevboards.html 

11. http://ddanchev.blo as pot.com/2007/Q8/ pav pals- 
securitv-kev.html 

51 

K 

A Diverse Portfolio of Fake Security Software - Part 
Fifteen (2009-02-03 23:06) 

Descriptive fake security software domains speak for 
themselves, and what follows are the very latest ones 
currently active in the wild : 

spywareguard2009m .com (78.26.179.253; 94.247.2.39) 

systemguard2009m .com 
spywareguard2009 .com 
systemguard2009 .com 
getsysgd09 .com 

Registrant: Damir Sbil; Email: 

da mirsbils79 l@googlemail.com 

antispyscannerl3 .com (94.247.2.39; 78.26.179.253) 

sgproductm .com 
sgviralscan .com 
sglOscanner .com 
sgllscanner .com 
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sgl2scanner .com 
sg9scanner .com 
sgproduct .com 

Registrant: Ahmo Stolica; Email: 

ahmostoln73@yahoo.com 

buysysantivirus2009 .com (94.247.2.75) 
sysav-download .com 
sysav-storage .com 
sysantivirus-check .com 
antispyware-pro-dl .com 
sysantivirus2009 .com 
sysav-download .com 
sysav-storage .com 
sysantivirus-check .com 
antispywarefastcheck .com 
antispyware-scanner-2009 .com 
antispyware-pro-dl .com 

Registrant: Dion Choiniere; Email: 

noelwollenberg@ymail.com 


premium-antivirus-defence.com (195.24.78.186) 

lite-antispyware-scan.com 

computeronlinescan.com 

lite-antispyware-scan.com 

liteantispywarescan.com 

liteantispywarescanner.com 
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liteantispywareproscan.com 

onlineproantispywarescan.com 

bestantispywarescan.com 

bestantispywarelivescan.com 

antispywareliveproscan.com 

antispywareinternetproscan.com 

bestanti-virusscan.com 

antimalware-scanner.com 

computerantivirusproscanner.com 

antimalwareproscanner.com 

antimalware-pro-scanner.com 

antimalware-scanner.com 


antimalware-scan.com 



computeronlineproscanner.com 

Registrant: Maksim Hirivskiy Email: 

altl65@freebbmail.com 
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DNS servers to keep an eye on, courtesy of UralComp-as 
Ural Industrial Company LTD (AS48511) : 

nsl.europegigabyte .com 

fastuploadserver .com 

nsl.managehostdns .com 

dns3.systempromns .com 

nsl.freehostns .com 

nsl.singatours .com 

nsl.airflysupport .com 

nsl.eguassembly .com 

nsl.fastfreetest .cn 

Proactively blocking these undermines a great deal of traffic 
acquisition campaigns whose aim is to hijack le¬ 
gitimate traffic to these domains. 
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Summarizing Zero Day's Posts for January (2009-02- 
05 21:15) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for January. You can also go through 
previous summaries for [2]December, [3]November, 
[4]October, [5]September, [6]August and [7]July, as well as 

subscribe to my [8]personal RSS feed or [9]Zero Day's main 
feed. 

Notable articles for January include [lOJMicrosoft study 
debunks phishing profitability; [llJLegal concerns 

stop researchers from disrupting the Storm Worm botnet 
and [12]Google Video search results poisoned to serve 

malware. 

01. [13]Thousands of Israeli web sites under attack 

02. [14]Bogus Linkedln profiles serving malware 

03. [15]Microsoft study debunks phishing profitability 

04. [16]Paris Hilton's official web site serving malware 

05. [17]Malware author greets Microsoft's Windows 
Defender team 

06. [18]3.5m hosts affected by the Conficker worm globally 

07. [19]GoDaddy hit by a DDoS attack 

08. [20]Legal concerns stop researchers from disrupting the 
Storm Worm botnet 
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09. [21]Malware-infected WinRAR distributed through 
Google AdWords 

10. [22]New mobile malware silently transfers account 
credit 

11. [23]GPU-Accelerated Wi-Fi password cracking goes 
mainstream 

12. [24]Google Video search results poisoned to serve 
malware 
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14. http://blo a s.zdnet.com/securit v/? p=2358 
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18. http://blo a s.zdnet.com/securit v/? p=2388 
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Quality Assurance in a Managed Spamming Service 
(2009-02-11 16:50) 

Following [l]previous coverage of the [2]managed spam 
services offered by [3]the Set-X mail system and a 
[4]copycat variant of it, a newly introduced managed spam 
service is emphasizing on quality assurance through the use 












































of a Google Search Appliance for storing of the harvested 
email databases and the spam templates. 

Here's an automatic translation of some of the key features 
offered by the system, currently having a price 

tag of $1,200 per month: 

11 A summary of the main possibilities of the system 

- Innovative technology deliver a unique e-mail system 
designed specifically for ******** to maximize serve up e- 
mails with a low rate of rejection-Kernel Multi-organization 
system provides extremely high speed while the low- 
platform-Provide complete sender's anonymity at the 
maximum system performance in terms multi-technology 
operating system bypass content filters using the built-in 
special tags: 

+ Configurable generation of random strings 

+ Change the case of letters randomly in a block 

+ random permutation of symbols in the block 

+ Inserting a random character in an arbitrary place in the 
block 

+ Replacing the same style of letters Latin alphabet for the 
Russian block 

+ Duplicating a random character in the block 

+ Paste into the body of a random letter strings from a file 

+ Managed morfirovanie image files in the format GIF- 
Correct emulation header sent letters Simultaneous 
connection of several bases e-mail addresses of those 



letter-substitution is performed from file-substitution e-mail 
addresses for the fields From and Reply-To is performed 
from a file-format of outgoing messages TEXT and HTML 

-/-Ability to send emails from attachments 

+Correct work with images in HTML messages possible as a 
direct method and with copies of CC, BCC-record-keeping 
system, results of the system is stored in files good, bad 
and unlucky for each connection of e-mail addresses, 
respectively 

-/-The system is convenient and intuitive graphical user 
interface 
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System management 

The system is operated under the interface to "Control 
Panel". The first is of them is multifunctional and serves to 
start the process of sending (the state of the "Run"), pause 
(the state of "pause") and confirm the end of the (state 

"Report") . The second button ("Stop") serves to interrupt 
the process otpravki. Data section also contains the 
following information fields: 

- executes an action in this field is carried out to date, the 
system-progress indicator graphic indication of progress the 
task, Completed Display task progress percentage 

- Successful delivery of letters to the number of addresses 
that had been carried out successfully, failure of the 
number of addresses that failed to deliver a letter-number 
bad non-existent addresses, duration of the actual time of 


the task-status displays the status of the kernel system 
kernel kernel memory Displays memory core systems " 

The ongoing arms race between the security industry and 
cybercriminals, is inevitably driving innovation at 

both sides of the front. However, based on the scalability of 
these managed spam services, it's only a matter of time for 
the vendors to embrace simple penetration pricing 
strategies that would allow even the most price-conscious 
cybercriminals, or novice cybercriminals in general to take 
advantage of this standardized spamming approach. The 
disturbing part is that the innovation introduced on behalf 
of the spam vendors in terms of bypassing spam filters, 
seems to be introduced not on the basis of lower delivery 
rates, but due to the internal competition in the cybercrime 
ecosystem. 

For instance, new market entrants in the face of botnet 
masters attempting to monetize their botnets by of¬ 
fering the usual portfolio of cybercrime services, often 
undercut the offerings of the sophisticated managed spam 
vendors. And so the vendors innovate with capabilities that 
the new market entrants cannot match, in order to not only 
preserve their current customers, but also, acquire new 
ones. Managed spam services as a business model is 
entirely driven by long term "bulk orders", compared to 
earning revenues on a volume basis by empowering low 
profile spammers with sophisticated delivery mechanisms. 

In the long term, just like every other segment within the 
cybercrime ecosystem, vertical integration and con¬ 
solidation will continue taking place, and thankfully we'll 
have a situation where the spam vendors would be 



sacrificing OPSEC (operational security) on their way to 
scale their business model and acquire more customers. 

1. http://ddanchev.blo as oot.com/2QQ7/lQ/mana a ed- 
s pammin a-ap pli3nces-future-of.html 

2. http://ddanchev.blo as pot.com/2QQ8/Q7/dissectin a- 
mana a ed-spammin a -service.html 

3. http://blo a s.zdnet.com/securit v/? p = 1899 

4. http://ddanchev.blo as pot.com/2QQ8/lQ/inside-mana a ed- 
s pam-service.html 
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Fake Codec Serving Domains from Digg.corn's 
Comment Spam Attack (2009-02-11 18:55) 

The [l]following assessment details all the redirectors, fake 
codec serving domains, as well as related fake security 
software domains used in the [2]Digg.conT comment spam 
attack. 
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The complete list of the domain redirectors used in the 
comment spam attack: 

worldnews-video .com - 459,000 bogus comments 
youtube-top-video .com - 98,000 bogus comments 
new-videos .info - 92,500 bogus comments 



















film-man .com - 50,700 bogus comments 
last-sex-news .com - 26, 000 bogus comments 
video-news .cn - 25, 500 bogus comments 
last-porno-news .com - 21,500 bogus comments 
fresh-video-news .com - 10,900 bogus comments 
broken-tv .com - 10,000 bogus comments 
video-trailers .net - 8,370 bogus comments 
exclusive-videos .net - 7860 bogus comments 
funkytube .net - 6,170 bogus comments 
shocking-stars .net - 2,600 bogus comments 
cinemacafe .tv - 1560 bogus comments 
watch-video .cn - 3000 bogus comments 
vidstream .cn - 397 bogus comments 
divgg .com - 174 bogus comments 
golden-portal .us - 3040 bogus comments 
tubedirects .net - 290 bogus comments 
funkytube .net - 6,480 bogus comments 
watchepisodes .cn - 331 bogus comments 
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video-sensation .com - 1,500 bogus comments 
bestlive-tv .cn - 216 bogus comments 
svtube .cn - 222 bogus comments 
onlyhotvideos .com - 413 bogus comments 
celebnudestars .net - 326 bogus comments 
usatvshows .us - 41 bogus comments 
vidstream .cn - 398 bogus comments 
divgg .com - 171 bogus comments 
tubedirects .net - 285 bogus comments 
yuotnbe .com - 370 bogus comments 
omeia .info - 769 bogus comments 
video.stumbulepon .com - 669 bogus comments 
shocking-stars .net - 2,650 bogus comments 
sowonder .net - 3000 bogus comments 
sex-tapes-celebs .com - 2,210 bogus comments 
video-sensation .com - 1,690 bogus comments 
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Currently active download locations for the fake codecs, and 
the rogue security software: 


vivaextra .com 


tube-xxx-tv2009 .com 
onlinestreamsofware .com 
demoextra .com 
best-tube-2008 .net 
tubeportalsoftware2008 .com 
tubesoftwareviewer2008 .com 
exefilesdownload2009 .com 
tubesoftwareviewer2009 .com 
uporntube-07 .com 
tubeporn08 .com 
uporn-tube .com 
uporntube2009 .com 
porn-tube09 .com 
tubeporn09 .com 
xxxporn-tube .com 
porntubenew .com 
ultra-extra .com 
xp-police .com 
xp-police-av .com 



xp-police-2009 .com 
antiviralscannerl4 .com 

Detection rates for the codecs/rogue security 
software: 

[3Jviewtubesoftware.40020.exe 
Result: 8/39 (20.51 %) 

File size: 71680 bytes 

MD5...: ef26250b946a63112659c94eed016e0d 
SHA1..: 902fd30cd4a7465c9f5271971604d273ed74a60c 
[43viewtubesoftware.400201.exe 
Result: 7/39 (17.95 %) 

File size: 62464 bytes 

MD5...: Id4c3a6d2cc8c645652f7090636e5a4b 

SHA1..: Cccl994a521d9e8a053a345b9d9cc28a63415845 
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[5]lnstall.exe 
Result: 5/39 (12.82 %) 

File size: 77830 bytes 

MD5...: 64557f21c50b6c063cc96ba661bcd27c 


SHA1..: 5a765a92de07af756c96c83139be8ddacell7efl 



[6Jinstalll.exe 
Result: 4/39 (10.26 %) 

File size: 73222 bytes 

MD5...: 890bf32b34b7abab7aa7ea049215c429 

SHA1..: 8c311a8b6096914f758bcaf82aca465bcc885110 

The first comments including links to these domains have 
been posted at Digg.com on January, 2008 - over an 

year ago. 

1. http://pandalabs.pandasecuritv.com/archive/Have-vou- 
ever-heard-the-term- 22QQ Rickrollm a 22QQ3FQQ -Malwa 

re-distributors-have 2EQ02EQQ2EQQ .as px 

2. http://blo a s.zdnet.com/securit v/7 p = 2544 

3. 

http://www.virustotal.com/analisis/35a4eb801blea42b9260 

d268e6e7d85a 

4. 

http://www.virustotal.com/analisis/3662a950f3e285f7bd83d 

a6de4c7b256 

5. 

http://www.virustotal.com/analisis/2f3ed92d5983b635e71d 

99700d6a42af 

6 . 

http://www.virustotal.com/analisis/d2ee81166ee0cc942228 

5f47ddf76421 
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Community-driven Revenue Sharing Scheme for 
CAPTCHA Breaking (2009-02-17 14:33) 

What follows when a system that was originally created to 
be recognizable by humans only, gets undermined by 

low-waged humans or grassroots movements? Irony, with no 
chance of reincarnation. [1]CAPTCHA is dead, humans 

killed it, not bots. 

A new market entrant into the [2]CAPTCHA-breaking 
economy, is proposing a novel approach that is not only 

going to result in a more efficient human-based CAPTCHA 
solving on a large scale, but is also going to generate 
additional revenues for webmasters and their site's 
community members. The concept is fairly simple, since it's 
mimicking [3]reCAPTCHA's core idea. 

However, instead of digitizing books, the CAPTCHA entry 
field that any webmaster of an underground commu¬ 
nity, or a general site in particular that would like to 
syndicate CAPTCHAs from Web 2.0 web properties is free to 
do so on a revenue-sharing, or plain simple voluntary basis. 
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Consider for a moment the implications if such a project of 
they manage to execute it successfully. Starting from 


community-driven CAPTCHA breaking of Web 2.0 sites on 
basic forum registration fields using MySpace.corn's 

CAPTCHA for authenticating new/old users, the plain simple 
automatic rotation for idle community users, to the 

enforcement of CAPTCHA authentication for each and every 
new forum post/re ply. 

What happens with the successfully recognized CAPTCHAs? 
As usual, hundreds of thousands of bogus profiles 

will get automatically registered for the purpose of spam 
and malware spreading, or reselling purposes. The 

development of this service - if any - will be monitored and 
updates posted if it goes mainstream. 

Related posts: 

[4] The Unbreakable CAPTCHA 

[5] Spammers attacking Microsoft's CAPTCHA - again 

[6] Spam coming from free email providers increasing 

[7] Gmail, Yahoo and Hotmail's CAPTCHA broken by 
spammers 

[8] Microsoft's CAPTCHA successfully broken 

[9] Vladuz's Ebay CAPTCHA Populator 

[10] Spammers and Phishers Breaking CAPTCHAs 
[11 ]DIY CAPTCHA Breaking Service 

[12]Which CAPTCHA Do You Want to Decode Today? 



1. http://blo a s.zdnet.com/securit v/? p = 1835 

2. http://blo a s.zdnet.com/securit v/? p = 1835 

3. http://recaptcha.net/learnmore.html 
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4. http://ddanchev.blo as pot.com/20Q8/Q7/unbreakable- 
captcha.html 

5. http://blo a s.zdnet.com/securit v/? p = 1986 

6. http://blo a s.zdnet.com/securit v/? p = 1514 

7. http://blo a s.zdnet.com/securit v/7 p = 1418 

8. http://blo a s.zdnet.com/securit v/? p = 1232 

9. http://ddanchev.blo as pot.com/2007/Q3/vladuzs-eba v- 
ca ptcha- pp pulator.html 

10. http://ddanchev.blo as pot.com/2007/Q9/spammers-and- 
phishers-breakin a -captchas.html 

11. http://ddanchev.blo as pot.com/20Q7/10/div-captcha- 
breakin a -service.html 

12. http://ddanchev.blo as pot.com/2007/ll/which-captcha- 
do-vQu-want-tQ-decode.html 
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Pharmaceutical Spammers Targeting Linkedln (2009- 
02-18 18:22) 














































Following January's [ljmalware campaign relying on bogus 
Linkedln profiles, this time it's pharmaceutical spammers' 

turn to target the [2]business-oriented social networking 
site. 

From a spammers/blackhat SEO-er's perspective, this is 
done for the purpose of increasing the page rank of 

their pharmaceutical domains based on the number of links 
coming from Linkedln. The campaigns are monetized 

through the usual [3Jaffiliate based pharmaceutical 
networks. 

The following is a complete list of the currently active bogus 
domains, all part of identical campaigns: 

linkedin .com/in/buyviagra45 

linkedin .com/in/phentermi net rueway 

linkedin .com/in/OnlineBuyProzac 

linkedin .com/in/CheapBuyGabapentin 

linkedin .com/in/BuyCheapTramadol 

linkedin .com/in/cheaptramadol 

linkedin .com/in/buybactrimonline 

linkedin .com/in/OnlineBuyAugmentin 
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linkedin .com/in/OnlineBuyMetformin 



linkedin .com/in/OnlineBuyBiaxin 
linkedin .com/in/CheapBuyNorvasc 
linkedin .com/in/OrderBuyCelebrex 
linkedin .com/in/OnlineBuyLipitor 
linkedin .com/in/BuyCheapOxycontin 
linkedin .com/in/OnlineBuyHydrocodone 
linkedin .com/in/OrderBuyPercocet 
linkedin .com/in/OnlineBuyFioricet 
linkedin .com/in/OrderBuyKIonopin 
linkedin .com/in/OnlineBuyDiazepam 
linkedin .com/in/OnlineBuyXanax 
linkedin .com/in/CheapBuyOxycodone 
linkedin .com/in/OnlineBuyClonazepam 
linkedin .com/in/OnlineBuyEffexor 
linkedin .com/in/OnlineBuyAmbien 
linkedin .com/in/OnlineBuyAtivan 
linkedin .com/in/OnlineBuyVicodin 
linkedin .com/in/OnlineBuyNexium 
linkedin .com/in/OrderBuyCipro 
linkedin .com/in/OnlineBuyLorazepam 




linkedin .com/in/propecia 
linkedin .com/in/OnlineBuyAllegra 
linkedin .com/in/CheapBuyMeridia 
linkedin .com/in/OnlineBuyZithromax 
linkedin .com/in/OnlineBuyCelexa 
linkedin .com/in/clomid 
linkedin .com/in/clonazepam 
linkedin .com/in/BuyCheapNeurontin 
linkedin .com/in/cheapfioricet 
linkedin .com/in/OnlineBuyClomid 
linkedin .com/in/OnlineBuylbuprofen 
linkedin .com/in/OnlineBuyZoloft 
linkedin .com/in/OnlineBuyToprol 
linkedin .com/in/OnlineBuyAleve 
linkedin .com/in/OnlineBuyAleve 
linkedin .com/in/OnlineBuyVioxx 
linkedin .com/in/OnlineBuyWellbutrin 
linkedin .com/in/OnlineBuyAmoxicillin 
linkedin .com/in/OnlineBuySuboxone 
linkedin .com/in/OnlineBuyOxycodone 





linkedin .com/in/OnlineBuyLisinopril 
linkedin .com/in/OrderBuyPrevacid 
linkedin .com/in/OnlineBuyLevaquin 
linkedin .com/in/OnlineBuyllltram 
linkedin .com/in/OnlineBuyAlprazolam 
linkedin .com/in/OnlineBuyLamictal 
linkedin .com/in/OnlineBuyNaproxen 
linkedin .com/in/OnlineBuyZyprexa 
linkedin .com/in/OnlineBuyCoumadin 
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linkedin .com/in/OnlineBuyValium 
linkedin .com/in/OnlineBuyLithium 
linkedin .com/in/OnlineBuySynthroid 
linkedin .com/in/OnlineBuyHerceptin 
linkedin .com/in/OnlineBuyAvandia 
linkedin .com/in/OnlineBuyTramadol 
linkedin .com/in/OnlineBuyCymbalta 
linkedin .com/in/OnlineBuyDoxycycline 
linkedin .com/in/OnlineBuyProtonix 


inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
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inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 


ineBuyTestosterone 

ineBuyTopamax 

ineBuyBenadryl 

ineBuyBactrim 

ineBuy Methadone 

ineBuyAtenolol 

ineBuyConcerta 

ineBuyCrestor 

ineBuyTrazodone 

ineBuyVytorin 

ineBuy Melatonin 

ineBuyCephalexin 

ineBuyThyroid 

ineBuyChantix 

ineBuylnsulin 

ineBuyGenace 

ineBuyByetta 

ineBuyPropecia 

ineBuyPlavix 






inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 
inkedin .com/in/On 


neBuyYaz 

neBuyYasmin 

neBuy Potassium 

neBuyValtrex 

neBuyVoltaren 

neBuyPenicillin 

neBuyZyrtec 

neBuy Magnesium 

neBuy Prednisone 

neBuySeroquel 

neBuySoma 

neBuyGabapentin 

neBuyAspirin 

neBuyPseudovent 

neBuyLortab 

neBuyPaxil 

neBuyAlli 


inkedin .com/in/BuyCheapXenical 
inkedin .com/in/CheapBuyllltracet 
inkedin .com/in/buyhydrocodone 






linkedin .com/in/OrderBuyAlli 
linkedin .com/in/buypaxilonline 
linkedin .com/in/OnlineBuyMobic 
linkedin .com/in/OnlineBuyNaprosyn 
linkedin .com/in/OnlineBuyCipro 
linkedin .com/in/OnlineBuyMorphine 
linkedin .com/in/vimax 
linkedin .com/in/OnlineBuyAccutane 
linkedin .com/in/vigrx 
linkedin .com/in/OnlineBuyNorvasc 
linkedin .com/in/OnlineBuyOxycontin 
linkedin .com/in/OnlineBuyProvigil 
linkedin .com/in/OnlineBuyPercocet 
linkedin .com/in/OnlineBuyCelebrex 
linkedin .com/in/OnlineBuyAdipex 
linkedin .com/in/OnlineBuyRitalin 
linkedin .com/pub/dir/purchase/viagra 
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linkedin .com/pub/dir/cialis/online 



linkedin .com/pub/dir/methocarbamol/online 
linkedin .com/pub/dir/acyclovir/online 
linkedin .com/pub/dir/klonopin/online 
linkedin .com/pub/dir/zyprexa/online 
linkedin .com/pub/dir/amitriptyline/online 
linkedin 

.com/pub/dir/buymodalertonline/buymodalertonline 

linkedin .com/pub/dir/zocor/online 

linkedin .com/pub/dir/levitra/online 

linkedin .com/pub/dir/citalopram/online 

linkedin .com/pub/dir/arimidex/online 

linkedin .com/pub/dir/niacin/online 

linkedin .com/pub/dir/phentermine/online 

linkedin .com/pub/dir/provigil/online 

linkedin .com/pub/dir/ritalin/online 

Pharmaceutical domains used in the campaigns: 

buy-pharmacy .info 

viagra-pills .info 

nenene .og 


rxoffers .net 




allrxs .org 

onlinepharmacy4u .org 
cheap-tramadol .us 
buy-tramadol.blogdrive .com 
buymodalert .com 
rx-prime .com 
suche-project .eu 

Acquiring new users in a highly competitive Web 2.0 world 
is crucial, no doubt about it. But in 2009, if you're not at 
least requiring a valid email address, a confirmation of the 
registration combined with a CAPTCHA to at least slow down 
the bogus account registration process and ruin their 
efficiency model - systematic abuse of the service is 
inevitable ([4]Commercial Twitter spamming tool hits the 
market). 

Linkedln's abuse team has already been notified of these 
accounts. 

1. http://ddanchev.blo as pot.com/20Q9/01/dissectin a -bo aus- 
linkedin-profiles.html 

2. http://en.wikipedia.or a /wiki/Linkedln 
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3. http://blo a s.zdnet.com/securit v/? p = 2054 

4. http://blo a s.zdnet.com/securit v/7 p = 2477 
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Fake Celebrity Video Sites Serving Malware - Part 
Three (2009-02-24 00:47) 

In the overwhelming sea of [l]template-ization of malware 
serving sites, (naked )celebrities would always remain the 
default choice offered in the majority of bogus content 
generating tools taking advantage of the high-page rank of 
legitimate Web 2.0 services. 

Following the 2008's [2]Fake Celebrity Video Sites Serving 
Malware series ([3]Part Two) the very latest addi¬ 
tion to the series demonstrates the automatic abuse of 
legitimate infrastructure - in this case Blogspot for the 
purpose of traffic acquisition. 
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The following are currently active and part of the same 
campaign: 

lisa-bonet-angel-heart.blogspot.com 

milla-jovovich-gallery.blogspot.com 

pamela-anderson-hot-sex-tape.blogspot.com 

rihanna-nude-gallery.blogspot.com 

kate-hudson-nude-gallery.blogspot.com 

milla-jovovich-gallery.blogspot.com 

teacher-slept-with-boy.blogspot.com 


meg-white-new-sex-tape.blogspot.com 
anna-faris-hot-video.blogspot.com 
so-hard-movies. blogspot.com 
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vanessa-hot.blogspot.com 
paris-hilton-sexass.blogspot.com 
sex-tape-lindsay-lohan.blogspot.com 
chloesevigny-privategallery.blogspot.com 
kate-winslet-nude-gallery.blogspot.com 
keeley-hazell-sex-hot-video .blogspot.com 
miley-cyrus-sex-tape .blogspot.com 
britney-spears-hottest-video .blogspot.com 
miley-cyrus-naked-video .blogspot.com 
alyssa-milano-naked-video .blogspot.com 
kardashian-hot-video .blogspot.com 
naked-jennifer-lopez .blogspot.com 
vanessa-hudgens-hot-video .blogspot.com 
hottest-lindsay-lohan-video .blogspot.com 
cameron-diaz-porn .blogspot.com 


underworld-rise-lycans .blogspot.com 

Compared to the single-post only Blogspots, the following 

domainstoplOOvideoz.com; cinemacafe.tv; xvids- 
top.com have a lot more bogus content to offer. 

1. http://ddanchev.blo as pot.com/2QQ9/Q2/template-iization- 
of-malware-servin a .html 

2. http://ddanchev.blo as pot.com/2QQ8/Q6/fake-celebrit v- 
v ideo-sites-servin a .html 
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3. http://ddanchev.blo as pot.com/2QQ8/Q8/fake-celebrit v- 
video-sites-servin a .html 
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The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two (2009-02-24 16:10) 

With VPN-enabled [l]malware infected hosts easily acting 
as stepping stones thanks to modules within popular 

malware bots, next to commercial VPN-based services, 
[2]the cost of anonymizing a cybecriminal's Internet 
activities is not only getting lower, but the process is 
ironically managed in data retention heavens such as the 
Netherlands, Luxembourg, USA and Germany in this 
particular case, by using the services of the following ISPs: 
Lease Web AS 















Amsterdam, Netherlands; R00T-A5 root eSolutions; 
HOPONE-DCA HopOne Internet Corp.; NETDIRECTAS 
NETDIRECT 

Frankfurt, DE. 

Operating since 2004, yet another "cybercrime 
anonymization" service is using the bandwidth of legitimate 
data centers in order to run its VPN/Double/Triple VPN 
channels service which it exclusively markets in a "it's 
where you advertise your services, and how you position 
yourself that speak for your intentions" fashion. 
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Description of the service: 

" - We will never sought to make the service cheaper than 
saving the safety of customers. 

- Our servers are located in one of the most stable and high¬ 
speed date points (total channel gigabita 1.2) 

- Only we have the full support service to the date of 
the center, which prevents the installation of sniffers 
and 

monitoring. 

- We do not use standard solutions, our software is based on 
the modified code. 

- Only here you get a stable and reliable service. 


Characteristics of Sites: 


- Channel 100MB, total channels gigabita 1.2. 

- MPPE encryption algorithm is 128 bit 

- Complete lack of logs and monitoring - a guarantee 
of your safety. 

- Completely unlimited traffic. 

- Support for ail protocols of the Internet." 

On the basis of chaining several different VPN channels 
located in different countries all managed by the same 

service, combined with a Socks-to-VPN functionality where 
the Socks host is a malware compromised one, all of 

which maintain no logs at all, is directly undermining the 
usefulness of [3]already implemented data retention laws. 

Moreover, even a not so technically sophisticated user is 
aware that chaining these and adding more VPN servers in 
countries where no data retention laws exist at all, would 
result in the perfect anonymization service where the 
degree of anonymization would be proportional with the 
speed of the connection. In this case, it's the mix of 
legitimate and compromised infrastructure that 
makes it so cybercrime-friendly. 

In respect to the "no logs and monitoring for the sake of our 
customers security" claims, such services are based on trust, 
namely the customers are aware of the cybercriminals 
running them "in between" the rest of the services they 
offer, which and since they're all "on the same page" an 
encrypted connection is more easily established. 



However, an interesting perspective is worth pointing out - 
are the owners of the cybecrime-friendly VPN service 
forwarding the responsibility to their customers, or are in 
fact the customers forwarding the responsibility for their 
activities to the owners which are directly violating data 
retention laws and on purposely getting rid of forensic 
evidence? 

Things are getting more complicated in the "cybercrime 
cloud" these days. 
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1. http://ddanchev.blo as pot.com/2008/Q2/malware-infected- 
hosts-as-ste p pin a .html 

2. http://ddanchev.blo as pot.com/20Q8/10/cost-of- 
anonvmizin a-c vbercriminals.html 

3. 

http://en.wikipedia.or a /wiki/Telecommunications_data_reten 
tEon#Home Office ¥Qluntarv_Code_of_Practice_on_Da 

ta Retention 
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Help! Someone Hijacked my 100k+ Zeus Botnet! 
(2009-02-26 21:42) 

I've been looking for a similar chatter for a while now, given 
the existence of a [l]remotely exploitable vulnerability in an 
old Zeus crimeware release allowing a cybercriminal to 
inject a new user within the admin panel of another 
cybecriminal. 

















It appears that this guy has had his 100k+ Zeus botnet 
hijacked several months ago, and now that he's man¬ 
aged to at least partly recover the number of infected hosts 
in two separate botnets, is requesting advice on how to 
properly secure his administration panel. 

Here's an exact translation of his concerns : 

" Dear colleagues, I'd like to hear all sorts of ideas regarding 
to security of Zeus. I've been using Zeus for over an year 
now, and while I managed to create a botnet of 100k 
infected hosts someone hijacked it from me by adding a 
new user and changing my default layout to orange just to 
tip once he did it. Once I fixed my directory permissions. I 
now have two botnets, the first one is 30k and the second 
(thanks to a partnership with a friend) is now 3k located at 
different hosting providers. 

Sadly, yesterday I once again found out that my admin 
panel seems to have been compromised since all the 

files were changed to different name, and access to the 
admin panel blocked by IP. Yes, that seems to be the IP the 
hijacker is using. The attacker has been snooping Apache 
logs in order to find IPs that have been used for logging 
purposes and blocked them all. Therefore I think the new 
user has been added by exploiting a flaw in Zeus. In my 
opinion a request was made to the database, either through 
an sql injection in s.php a file or a request from within a 
user with higher privileges. 

Since I've aplied patches to known bugs, this could also be 
a compromise of my hosting provider. So here are some 
clever tips which I offer based on my experience with 
securing Zeus. 



- Change the default set of commands, make them unique 
to your needs only. 

- If it is possible to prohibit the reading and dump tables 
with logs all IP, to allow only certain (so that the crackers 
were not able to make a dump and did not read the logs in 
the database). 

- If it is possible to prohibit editing of tables with ail the 
commands of Zeus IP, to allow only certain (that could not 
be 

"hijacked", insert the command bots)" 

Surreal? Not at all, given the existing monoculture on the 
crimeware market. Morever, yet another vulnera¬ 
bility was found in the Firepack web malware exploitation 
kit earlier this month ([2]Firepack remote command 

execution exploit that leverages admin/ref.php). This exploit 
could have made a bigger impact in early 2008, the 82 

peak of the Firepack kit, which was also localized to Chinese 
several months later: 

[3] The FirePack Web Malware Exploitation Kit 

[4] The FirePack Exploitation Kit - Part Two 

[5] The FirePack Exploitation Kit Localized to Chinese 

Ironically, cybercriminals too, seem to be using outdated 
versions of their crimeware. 

Related posts: 

[6] Crimeware in the Middle - Adrenalin 



[7] 76Service - Cybercrime as a Service Going Mainstream 

[8] Zeus Crimeware as a Service Going Mainstream 

[9] Modified Zeus Crimeware Kit Gets a Performance Boost 

[10] Modified Zeus Crimeware Kit Comes With Built-in MP3 
Player 

[11] Zeus Crimeware Kit Gets a Carding Layout 

[12] The Zeus Crimeware Kit Vulnerable to Remotely 
Exploitable Flaw 

[13] Crimeware in the Middle - Zeus 

1. http://ddanchev.blo as oot.com/2QQ8/Q6/zeus-crimeware- 
kit-vulnerable-to.html 

2. http://packetstorm.linuxsecuritv.com/0902- 
exp I oits/fi repack-exec.txt 

3. http://ddanchev.blo as pot.com/2QQ8/Q2/firepack-web- 
malware-explQitation-kif.html 

4. http://ddanchev.blo as pot.com/20Q8/Q4/firepack- 
exploitation-kit-part-two.html 

5. http://ddanchev.blo as pot.com/20Q8/Q5/firepack- 
exploitation-kit-localized-to.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q2/crimeware-in- 
middle-adrenalin.html 

7. http://ddanchev.blo as pot.com/2QQ8/Q8/76service- 
c vbercrime-as-service- a oin a .html 































8. http://ddanchev.blo as pot.com/2QQ8/12/zeus-crimeware- 
as-service- a oin a .html 


9. http://ddanchev.blo as pot.com/20Q8/ll/modified-zeus- 
crimeware-kit- a ets.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q9/modified-zeus- 
crimeware-kit-comes-with.html 


11. http://ddanchev.blo as pot.com/2QQ8/ll/zeus-crimeware- 
kit- g ets-cardin a -lavout.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q6/zeus-crimeware- 
kit-vulnerable-to.html 


13. http://ddanchev.blo as pot.com/2QQ8/Q4/crimeware-in- 
middle-zeus.html 
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Inside a DIY Image Spam Generating Traffic 
Management Kit (2009-02-26 22:48) 

Whatever the spammer/pharma master or plain simple 
cybercriminal requires - the spamware vendors deliver so 

that a win-win-win scenario takes place for the buyer, the 
seller, and the enabler, in this case the affiliate network 
allowing image-based spam compared to Web 1.0's link 
based performance measurement. 

That's the main objective of one of the very latest traffic 
management kit is once again quality assurance in 

the process of managing image-spam based campaigns. 
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Here's a translated description of the traffic management 
kit: 

" As you know, now many pay per click networks offer 
within their ad scripts the so called graphic feeds.Any site 
allowing the use of the IMG tag can serve them, that 
includes popular free web based services. The problem so 
far has been the lack of quality measurement and 
optimization of this approach. 
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This imposes severe restrictions on the ability to convert 
traffic to the resource, the automatic redirection of which is 
impossible. Our system allows you to allows you to create 
your own ads and send traffic to them to where you think 
they fit. 

How it works: you create a campaign with your own 
keywords, generate a random image, customize it, gener¬ 
ate a link to the ad and paste it into the hosting site, or 
include it in your email campaigns. By doing this you're able 
to add more interactivity in your campaigns and improve 
your dick through rates. 
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Here's a summary of the features we offer you: 


- Create messages with random text and random design. 
Change ad size and font color, underline, and the 

selection, styles, font and alignment, frames - everything is 
set up. You can use any font that you want to - it's 
completely up to you 

- Manage design ads through profiles within the system, 
save your creativity 

- Use of any image as the ads. This may be a screenshot of 
your pharmacy, banner, and even anything 
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- Combine different types of simple ads on the same page 

- Create messages with any embedded images. For example 
(dick on picture to see actual ad size) 

- Use alternative keywords in the references (some of the 
resources do not allow to post links containing the names of 
pills and other banned words) 

- Filter incoming traffic to the countries of the User-Agent, IP 
or range of IP 1 

It's important to emphasize on the fact that this is a DIY 
image-spam generating kit, in comparison, the much 

more efficient and again random image-spam generating 
service is offered by the sophisticated and experienced 

managed spam service providers who still prefer working 
with reputable and well known individuals, instead of going 
mainstream. 


Related posts: 

[1] Quality Assurance in a Managed Spamming Service 

[2] Managed Spamming Appliances - The Future of Spam 

[3] Dissecting a Managed Spamming Service 

[4] lnside a Managed Spam Service 

[5] Spamming vendor launches managed spamming service 

[6] Segmenting and Localizing Spam Campaigns 

1. http://ddanchev.blo as DOt.com/2QQ9/Q2/aualit v- 
assurance-in-mana a ed-spammin g .html 
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2. http://ddanchev.blo as pot.com/2QQ7/lQ/mana a ed- 
s pammin a-ap p8iances-future-of.html 

3. http://ddanchev.blo as pot.com/2QQ8/Q7/dissectin a- 
mana a ed-spammin a -service.html 

4. http://ddanchev.blo as pot.com/2QQ8/lQ/inside-mana a ed- 
s pam-service.html 

5 . httP://blo a s.zdnet.com/securit v/? p = 1899 

6. http://ddanchev.blo as pot.com/2QQ8/Q5/se a mentin a -and- 
localizin a-s pam.html 

89 


1.3 


March 

































Summarizing Zero Day's Posts for February (2009- 
03-04 12:28) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for February. You can also go through 
previous summaries for [2]January, [3]December, 
[4]November, [5]October, [6]September, [7]August and 
[8]July, as well as subscribe to my [9]personal RSS feed or 
[10]Zero Day's main feed. 

01. [ll]Commercial Twitter spamming tool hits the market 

02. [12]Fake Antivirus XP pops-up at Cleveland.com 

03. [13]Report: 92 % of critical Microsoft vulnerabilities 
mitigated by Least Privilege accounts 

04. [14]Massive comment spam attack on Digg.com leads 
to malware 

05. [15]Crimeware tracking service hit by a DDoS attack 

06. [16]Targeted malware attacks exploiting IE7 flaw 
detected 

07. [17]New Symbian-based mobile worm circulating in the 
wild 

08. [18]Rogue security software spoofs ZDNet Reviews 

09. [19]Adobe Reader 9 and Acrobat 9 zero day exploited in 
the wild 


10. [20]Chinese hackers deface the Russian Consulate in 
Shanghai 

11. [21]eBay solutions providerAuctiva.com infected with 
malware 

12. [22]Malware campaign at YouTube uses social 
engineering tricks 

13. [23]Research: 76 % of phishing sites hosted on 
compromised web servers 
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1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2QQ9/Q2/summarizin a- 
zero-da vs- posts-for- i anuarv.html 

3. http://ddanchev.blo as pot.com/2QQ9/Ql/summarizin a- 
zero-da vs- posts-for.html 

4. http://ddanchev.blo as pot.com/2QQ8/12/summarizin a- 
zero-da vs- posts-for.html 

5. http://ddanchev.blo as pot.com/2QQ8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

6. http://ddanchev.blo as pot.com/2QQ8/lQ/summarizin a- 
zero-da vs- posts-for.html 

7. http://ddanchev.blo as pot.com/2QQ8/Q9/summarizin a- 
zero-da vs- PQSts-for-au a ust.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q8/summarizin a- 
zero-da vs- posts-for- iul v.html 




































9. http://updates.zdnet.com/ta a s/dancho+danchev.html? 
t=0&s=Q&o=l&mode=rss 

10. http://feeds.feedburner.com/zdnet/securit v 

11. httP://blo a s.zdnet.com/securit v/? p=2477 

12. http://blo a s.zdnet.com/securit v/? p=2513 

13. httP://blo a s.zdnet.com/securit v/? p=2517 

14. http://blo a s.zdnet.com/securit v/? p=2544 

15. httP://blo a s.zdnet.com/securit v/? p=2596 

16. http://blo a s.zdnet.com/securit v/? p=2607 

17. http://blo a s.zdnet.com/securit v/? p=2617 

18. http://blo a s.zdnet.com/securit v/? p=2624 

19. httP://blo a s.zdnet.com/securit v/? p=2631 

20. http://blo a s.zdnet.com/securit v/? p=2641 

21. http://blo a s.zdnet.com/securit v/? p=2648 

22. http://blo a s.zdnet.com/securit v/? p=2695 

23. http://blo a s.zdnet.com/securit v/? p=2707 
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Russian Homosexual Sites Under (Commissioned) 
DDoS Attack (2009-03-04 13:00) 


From Russia with homophobia? 














































A week long DDoS attack launched against Russia's most 
popular commercial homosexual sites has finally 

ended. The simultaneous attack managed to successfully 
shut down the web servers of most of the sites, which 

responded with filtering of all traffic that is not coming from 
Russia. Ironically, the attack was in fact coming from 
Russian, courtesy from a botnet operated by a DDoS for hire 
service. 

Here's a list of the sites that were subject to the DDoS, with 
the majority of them returning 11 503 Service Temporarily 
Unavailable' 1 error message during last week : 

gogay.ru 

lgay.ru 

androgin.ru 

boysclub.ru 

egay.ru 

gaylines.ru 

gaymoney.ru 

gayplanet.ru 

gayrelax.ru 

xabalka.ru 

On the 25th of January, gogay.ru was among the few sites to 
issue a statement and confirm the attacks offer- 



ing financial reward for information leading to the source : 
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" Yesterday (25 February), our site is subjected to serious 
hacker attacks (flood-attack capacity of 2 Mbit / sec). The 
attack reflected, but is still continuing at other gay sites 
lgay.ru, egay.ru, xabalka.ru and so on. If you have any 
information (we are willing to pay for uHCpy of tailor-made) 
on the causes of the attack, if you - the webmaster and your 
own gay website exposed attacks (if the last few days your 
site has been slow to load and create a greater burden - it is 
very likely that the same attack, only disguised), sabotage, 
blackmail or extortion by unidentified persons 

- always contact us. " 

Since the sites are commercial providers of homosexual 
multimedia content and are thereby bandwidth-consuming, 

the attacks were aiming to disrupt their business operations, 
and they managed to do so. Russia's government is well 
known to have [l]a rather violent take on homosexuality in 
general, and with overall availability of outsourced DDoS 

attack services offering anonymity and destructive 
bandwidth, the efforts to request such an attack remain 
minimal. 

1. http://www.workers.or g /20Q6/world/russia-06Q8/ 




Inside (Yet Another) Managed Spam Service (2009- 
03-09 22:18) 

Several years ago, getting into the spam business used to 
involve the [l]process of harvesting emails, figuring out 
ways to [2]segment the database, localize the spam 
campaign by using a free translation service [3]eventually 
ruining the social engineering effect, creating your very own 
botnet and coming up with creative ways to bypass anti¬ 
spam filters, ensuring the botnet remains operational, 
coming up with ways to obtain access to IPs with clean 
reputation, with little or no campaign effectiveness 
measurement at all.. 

These relatively higher market entry barriers are long gone. 
Today, every single step in [4]the spamming pro¬ 
cess is managed and can be [5]outsourced in a cost- 
effective manner to the point where the [6]one-stop-shop 
spam vendors have vertically integrated and occupied 
[7]every single market segment possible in order to increase 
the 

"lifetime value" of their potential customers. 
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When do you know that it's going to get uglier in the long 
term? It's that very special moment in time when the 
backend for such [8]a managed spam system utilizing 
malware infected hosts and legitimate servers for achieving 
its objectives, goes mainstream and its authors remove the 
"proprietary, high-profit margin revenues earning business 
model" label from it. 


And with this particular moment in time already a fact since 
the middle of 2008 ([9]Spamming vendor launches 

managed spamming service), yet another new market 
entrant is pitching its managed spam service with the 
ambition to monetize his access to a particular botnet, and 
break-even from the investment made in the backend 
system. 
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With 9 different campaigns already finished (see the top 
screenshot) and another one currently in progress 
spamming out 3215 emails using 1672 infected hosts based 
on a harvested email database consisting of 306204 emails 
(notice the percentage of non-existent emails potentially 
spam-poison traps), his business model is up and running. 

Further developments and new features within the service 
would remain under close monitoring in the future 

as well. In particular, the original vendor's updates which 
would ultimately affect all of his "value-added partners" 

improved managed spamming capabilities. 

1. http://ddanchev.blo as pot.com/2008/Q8/automatic-email- 
harvestin a -20.html 

2. http://ddanchev.blo as pot.com/2008/Q5/se a mentin a -and- 
localizin a-s pam.html 

3. http://ddanchev.blo as pot.com/20Q8/ll/localizin a- 
c vbercrime-cultural.html 















4. http://ddanchev.blo as pot.com/2QQ9/Q2/aualit v- 
assurance-in-mana a ed-spammin a .html 


5. http://ddanchev.blo as pot.com/20Q7/lQ/mana a ed- 
s pammin a-ap pliances-future-of.html 

6. http://ddanchev.blo as pot.com/2QQ8/Q7/dissectin a- 
mana a ed-spammin a -service.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q2/inside-div-ima ae- 
s pam- a eneratin a .html 

8. http://ddanchev.blo as pot.com/2QQ8/lQ/inside-mana a ed- 
s pam-service.html 

9. http://blo a s.zdnet.com/securit v/? p = 1899 
97 


£ 


£ 


Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware (2009-03-11 15:45) 

The very latest addition to the "Compromised International 
Embassies Series" are the Hungarian and Pakistani 
embassies of the Republic of Azerbaijan, which are currently 
[ljiFramed with exploits-serving domains. 

Is there such a thing as a coincidence, especially when it 
comes to three malware embedded attacks in a week 
affecting [2]Azerbaijan's USAID.gov section, and now their 
Pakistani (azembassy.com.pk) and Hungarian 
(azerembassy.hu) embassies? Depends, and while the 
USAID.gov attack was exclusively orchestrated for their 
section, the Pakistani and Hungarian ones are part of a more 
































widespread campaign. Theoretically, this could be a noise 
generation tactic. 

Here's a brief assessment of the attacks. 

Both embassies are embedded with identical domains, 
parked at the same IP and redirecting to the same client- 
side exploits serving URL operated by Russian 
cybercriminals, filmlifemusicsite .cn/in.cgi?cocacola95; 
promixgroup 

,cn/in.cgi?cocacola91; betstarwager .cn/in.cgi? 
cocacola86 and betstarwager .cn/in.cgi?cocacola80 

all respond to (78.26.179.64; 66.232.116.3) and redirect to 

clickcouner .cn/?t=5 (193.138.173.251) 

Parked domains at 78.26.179.64; 66.232.116.3 : 

denverfilmdigitalmedia .cn 
litetopfindworld .cn 
nanotopfind .cn 
filmlifemusicsite .cn 
litetoplocatesite .cn 
litedownloadseek .cn 
yourliteseek .cn 
diettopseek .cn 
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bestlotron .cn 



promixgroup .cn 
betstarwager .cn 

What prompted this sudden attention to Azerbaijanian web 
sites? [3]Azerbaijan's President visit to Iran in the 

same week when Russian Foreign Minister [4]Sergei Lavrov 
is visiting Azerbaijan? And why is the phone back domain 
for the malware served at the USAID.gov site phoning back 
to a [5]welI known Russian Business Network domain 
(fileuploader .cn/check/check.php) which was again 
active in January, 2008 and used by one of my favorite 
malware groups to monitor during 2007/2008 - the M [6]New 
Media Malware Gang" ([7]Part Three; [8]Part Two and [9]Part 
One)? 

Food for thought. 

Related posts: 

[lOjEmbassy of India in Spain Serving Malware 
[lljEmbassy of Brazil in India Compromised 

[12] The Dutch Embassy in Moscow Serving Malware 

[13] U.S Consulate in St. Petersburg Serving Malware 

[14] Syrian Embassy in London Serving Malware 

[15] French Embassy in Libya Serving Malware 
1 . 

http://securitvlabs.websense.com/content/Alerts/3316.as ox 


2. http://blo a s.zdnet.com/securit v/? p = 2817 







3. http ://www.isna.i r/ISNA/NewsVi ew.asox?ID=News- 
13049 2 3& Lan a =E 

4. http://abc.az/en a /news 11 03 2009 33Q3Q.html 

5. http://ddanchev.blo as pot.com/20Q8/01/rbns-fake- 
account-suspended-notices.html 

6. http://ddanchev.blo as pot.com/2008/Q3/new-media- 
malware- a an a- part-four.html 

7. http://ddanchev.blo as pot.com/2008/Q2/new-media- 
malware- a an a- part-three.html 

8. http://ddanchev.blo as pot.com/20Q7/12/new-media- 
malware- a an a- part-twQ.html 

9. http://ddanchev.blo as pot.com/20Q7/ll/new-media- 
malware- a an a .html 

10. http://ddanchev.blo as pot.com/2009/01/embassv-of- 
india°i n-spain-servin a .html 

11. http://ddanchev.blo as pot.com/2QQ8/ll/embassv-of- 
brazil-in-india-compromised.html 

12. http://ddanchev.blo as pot.com/20Q8/01/dutch-embass v- 
in-moscow-servin a -malware.html 

13. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin a .html 

14. http://ddanchev.blo as pot.com/2007/Q9/svrian-embass v- 
in-london-servin a .html 

15. http://ddanchev.blo as pot.com/20Q7/12/have-vour- 
malware-in-timelv-fashion.html 
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Who's Behind the Estonian DDoS Attacks from 2007? 
(2009-03-12 17:39) 

The rush to claim responsibility for 2007's DDoS attacks 
against Estonia 

100 


£ 


Ethiopian Embassy in Washington D.C Serving 
Malware (2009-03-18 23:10) 

Oops, they keep doing it again and again. The web site of 
the Ethiopian Embassy in Washington D.C (ethiopianem- 
bassy.org) has been [l]compromised and is currently 
iFrame-ed to point to a live exploits serving URL on behalf of 
Russian cybercriminals, naturally in a multitasking mode 
since the iFrame used to act as a redirector in several other 
malware campaigns. 

Despite that the iFrame domain (ltvv .com/index.php) is 
already "taken care of", details on the original campaign can 
still be provided. Multiple dynamic redirectors with a hard 
coded malware serving domain are nothing 

new, thanks to sophisticated traffic management kits 
allowing this to happen. The mentality applied here is pretty 
simple and is basically mimicking fast-flux as a concept. 

With or without one of the redirection domains, the 
campaign keeps running like the following: 

usl8.ru/@/include/spl.php (91.203.4.112) as the hard 
coded malware serving domain within the mix, is currently 


serving Office Snapshot Viewer, MDAC, Adobe Collab 
overflow exploits etc. courtesy of web malware 

exploitation kit (Fiesta). Traffic management is done through 

trafficinc .ru and trafficmonsterinc .ru also parked at 
91.203.4.112 with [2]Win32.VirToolObfusca served at the 
end. 

Related posts: 

[3] USAID.gov compromised, malware and exploits served 

[4] Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware 

[5] Embassy of India in Spain Serving Malware 

[6] Embassy of Brazil in India Compromised 

[7] The Dutch Embassy in Moscow Serving Malware 

[8] U.S Consulate in St. Petersburg Serving Malware 

[9] Syrian Embassy in London Serving Malware 

[10] French Embassy in Libya Serving Malware 

1. http://www.soohos.com/securitv/blo a /2009/03/3564.html 

2 . 

http://www.virustotal.com/analisis/fff217d70312ff26f48bda 

ef9e66b6c5 

3. http://blo a s.zdnet.com/securit v/? p = 2817 

4. http://ddanchev.blo as pot.com/2009/Q3/azerbai i anian- 
embassies-in-pakistan-and.html 
















5. http://ddanchev.blo as pot.com/2QQ9/Ql/embassv-of-india- 
in-spain-servin a .html 


6. http://ddanchev.blo as pot.com/20Q8/ll/embassv-of-brazil- 
in-india-compromised.html 

7. http://ddanchev.blo as pot.com/2QQ8/Ql/dutch-embass v- 
in-moscow-servin a -malware.html 

8. http://ddanchev.blo as pot.com/2QQ7/Q9/us-consulate-st- 
petersbur a -servin g .html 

9. http://ddanchev.blo as pot.com/20Q7/Q9/svrian-embass v- 
in-london-servin a .html 

10. http://ddanchev.blo as pot.com/2QQ7/12/have-vour- 
malware-in-timelv-fashion.html 
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Crimeware in the Middle - Limbo (2009-03-19 18:59) 

While you were out - M [l]Cybercrime-as-a-Service is finally 
taking off" and a $400 will get you in the hacking business. 

Such a mentality speaks for an outdated situational 
awareness. 

Cybercrime as a service originally started in the form of 
"value-added" post-purchase services, the now ubiquitous 
lower detection rate management for a malware binary, and 
anti-abuse domain hosting for the command and 

control interface, several years ago. As far as the $400 
required as an entry barrier into cybercrime no longer exists. 
































In reality, pirated copies each and every web malware 
exploitation kit including the proprietary crimeware kits are 
becoming more widespread these days. 

The cybercrime economy has not only matured into a 
sophisticated services-driven marketplace a long time 

ago, but also, nowadays we can clearly see how 
standardizing the exploitation approach is inevitably 
resulting 

in efficiencies - think web malware exploitation kits with 
diverse exploits sets and massive SQL injection attacks. 

The underground economy is in fact so vibrant, that the 
existing monoculture on the crimeware front is already 

[2]allowing cybercriminals to hijack the crimeware botnets 
of other cybercriminals unaware of the fact that they're 
running an oudated copy of their kit. 

Followed by Zeus and Adrenalin, it's time to profile Limbo, 
an alternative crimeware kit that's been publicly 

available for purchase since 2007. Interestingly, none of 
these kits can compare to the current market share of Zeus, 
perhaps the most popular crimeware kit these days, a 
development largely driven by the community build around 

Zeus, and the major enhancements introduced within the 
kit on behalf of third-party developers. 

Here's what Limbo is all about: 
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" It works on the principle of the add-in to Internet Explorer, 
not visible in the processes to make the logs being hidden 
from the firewall redirector, and other programs to monitor 
network activity. Supplied as a loader, which is removed 
after the launch, unpacks itself and make all necessary 
entries in the registry When you first start IE it cleans 
Cookies, reads Protected Storage (Autosaved passwords in 
IE, Outlook passwords, etc.) Whenever a user visits the 
monitored sites, Limbo intercepts the parameters which are 
later on transmitted to the server once the user presses the 
browser key. 

Commands: 

- Update the binary 
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- Launch arbitrary exe file 

- Update configurator (xml file available) 

- Cleaning Cookies 

- Remove Limbo 

- Theft of keys for Bank of America, as well as the keys of 
those banks that have moved to a system of keys 

- Exclude all the keys for Bank of America, as well as other 
banks of keys (control questions asked again, and you can 
intercept the answers to them) 


- Add to your hosts - to block a certain site (it seems as if it 
does not boot at all) 

- Reboot Windows 

- Destroy Windows 

Main features: 

- Grabs data from forms, including data around forms (all in 
a row or a pattern described in the configuration file) 

- Logging of keystrokes in the browser, at the time when the 
user enters something in the edit form (it is sometimes 
useful - for example when the entered data is encrypted 
after submit form) 

- Logging of virtual keyboards (universal technology was 
developed for the Turkish and Australian banks) 

- Theft of keys (Bank of America, as well as other banks, 
whose protection is key-based) - are in the archive, the 
archive is created from the user on the computer. 

- Delete key (Bank of America, as well as other banks, 
whose protection is built based on keys) - it is useful to 
force the user to enter answers to security questions 

- Scam page redirection (the fake of same page with the 
substitution of the address bar of iE and the status bar on 
infected hosts) 

- Harvesting of emails (including the address book user) - by 
request includes this possibility 


- Set the filter for sites that do not need to intercept 



- Simple injects-based system (paste your text input field on 
a particular site - for example, to ask for a pin Holder) 

- Smart injects system - blocking form until user input is not 
injected into the data fields (checking for the count-woo 
characters of their type - the numbers or letters) 

- TANs grabbing - vital for the German sites 

Paid only features: 

- A hidden transfer (transfer of command from the admin 
panel) - HARD-sharpen under one bank 
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- Autocomplete of hijacked session (eg when a user makes a 
transfer, useful if the transfer requires the SMS 
confirmation. Strictly tied to a particular bank only. 

PHP based admin includes: 

- Mapping of users to the admin 

- Directing teams selected users 

- Delete commands and users 

- Showing the status of the command 

- Mapping and IP users 

- Ability to delete tax 

- Display the size of logs 

- Search for logs 


- Archiving of logs 

- Filter by country 

- Possibility of sending logs to email 

- Statistics on infection 

- View collected emails 

- The giving of the notes selected users 

- The last call 

- Displaying a page by page (say 200 records per page) 

- An opportunity to log everything in one file (optional) 

- Sorting of logs according to different criteria 

- Delete all logs 

- Have the opportunity to log into mysql, as well as the 
ability to search for him there is (an order of magnitude 
faster search) 
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These commands are downloaded to the host after a certain 
period of time and performed in the admin panel you can 
see the status of commands for a specific user - download I 
downloaded but not executed I implemented. " 

With crimeware in the middle, no SSL/two-factor based 
authentication can ensure a non-transparent to the 

eyes of the cybercriminal transaction. 



Related posts: 

[3] Crimeware in the Middle - Adrenalin 

[4] Crimeware in the Middle - Zeus 

[5] 76Service - Cybercrime as a Service Going Mainstream 

[6] Zeus Crimeware as a Service Going Mainstream 

[7] Modified Zeus Crimeware Kit Gets a Performance Boost 

[8] Modified Zeus Crimeware Kit Comes With Built-in MP3 
Player 

[9] Zeus Crimeware Kit Gets a Carding Layout 

[10] The Zeus Crimeware Kit Vulnerable to Remotely 
Exploitable Flaw[ll] 

1 . 

http://www.itnews.com.au/News/98524 .c vbercnmeasaservic 

e-takes-off.as px 

2. http://ddanchev.blo as pot.com/2QQ9/Q2/help-someone- 
hii acked-mv-100k-zeus.html 

3. http://ddanchev.blo as pot.com/2QQ9/Q2/crimeware-in- 
middle-adrenalin.html 

4. http://ddanchev.blo as pot.com/2QQ8/Q4/crimeware-in- 
middle-zeus.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q8/76service- 
c vbercrime-as-service- a oin a .html 

6. http://ddanchev.blo as pot.com/2QQ8/12/zeus-crimeware- 
as-service- a oin a .html 

























7. http://ddanchev.blo as pot.com/2QQ8/ll/modified-zeus- 
crimeware-kit- a ets.html 


8. http://ddanchev.blo as pot.com/20Q8/Q9/modified-zeus- 
crimeware-kit-comes-with.html 

9. http://ddanchev.blo as pot.com/2QQ8/ll/zeus-crimeware- 
kit- a ets-cardin a -lavout.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q6/zeus-crimeware- 
kit-vulnerable-to.html 


11. http://ddanchev.blo as pot.com/2QQ8/Q4/crimeware-in- 
middle-zeus.html 
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Embassy of Portugal in India Serving Malware (2009- 
03-25 23:08) 

Yet another embassy web site is falling victim into a 
malware attack serving Adobe exploits to its visitors. As of 
last Friday, [l]the official web site of the Embassy of 
Portugal in India has been compromised 

(embportindia.co.in). 

Who's behind the attack? Interestingly, that's the very same 
group that compromised the [2]Azerbaijanian Embassies in 
Pakistan and Hungary earlier this month. Assessing this 
campaign once again establishes a direct connection with 
the Rusian Business Network's pre-shutdown netblocks and 
static locations. 

The very same domain using the same web traffic 
redirection script, used in the malware campaigns at the 




















Azerbaijanian Embassies in Pakistan and Hungary, can be 
found at the Portugal embassy's web site, betstarwager 

.cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet 
.com/index.php?cocacola84 (94.247.3.151) where 
[3]Multiple Adobe Reader and Acrobat buffer overflows are 
served : 

zzzz.hostindianet .com/load.php?id=4 -> 
ghrgt.hostindianet .com/cache/readme.pdf 

zzzz.hostindianet .com/load.php?id=5 -> 
ghrgt.hostindianet .com/cache/flash.swf 

The second iFramed domain ntkrnlpa .cn/rc/ 
(159.226.7.162) has a juicy history linking it to previous 
campaigns. In [4]February, 2008, an anti-malware vendor's 
site (AvSoft Technologie) was iFramed with the iFrame 

back then (ntkrnlpa .info/rc/?i = l) pointing to the Russian 
Business Network's original netblock It gets even more 
interesting when you take into consideration the fact that 
ntkrnlpa.info was also sharing ifrastructure with zief.pl, 
among the [5]most widely abused domains in the recent 
[6]Google Trends keywords [7]hijacking campaigns. Zief.pl 
is also service of choice for certain campaigns of the [8]Virut 
malware family, irc.zief.pl in particular. 

It gets even more malicious considering that on the same IP 
(ntkrnlpa .cn/rc/ 159.226.7.162) where one of the 

malware domains in the embassy's campaign is parked, we 
can easily spot domains (baidu-baiduxin3 .cn for 
instance) that were participating in last year's [9]IE7 
massive zero day exploit serving campaign. Moreover, in a 
typical multitasking stage, the cybercriminals behind the 
campaign are also hosting [10]Zeus crimeware campaigns 
on it. 



A reincarnation of a well known RBN domain, confirmed 
participation at related compromises of embassy 

web sites by the same group, sharing ifrastructure with 
domains from a massive IE7 ex-zero day attack and hosting 
Zeus crimeware command and control locations - 
underground multitasking at its best. 

Related posts: 

[11] Ethiopian Embassy in Washington D.C Serving Malware 

[12] USAID.gov compromised, malware and exploits served 

[13] Azerbaijanian Embassies in Pakistan and Hungary 
Serving Malware 

[14] Embassy of India in Spain Serving Malware 

[15] Embassy of Brazil in India Compromised 

[16] The Dutch Embassy in Moscow Serving Malware 
107 

[17] U.S Consulate in St. Petersburg Serving Malware 

[18] Syrian Embassy in London Serving Malware 

[19] French Embassy in Libya Serving Malware 
1 . 

http://securitvlabs.websense.com/content/Alerts/3326.as ox 

2. http://ddanchev.blo as pot.com/2009/Q3/azerbai i anian- 
embassies-in-pakistan-and.html 









3. 

http://www.virustotal.com/analisis/46499ad85a338b6d089a 

c31326a0daa5 

4. http://ddanchev.blo as pot.com/2008/Q2/anti-malware- 
vendors-site-servin a .html 

5. http://www. a oo a le.com/safebrowsin a /dia a nostic? 
site=zief. ol/ 

6. http://blo a s.zdnet.com/securit v/? p = 1995 

7. http://ddanchev.blo as pot.com/20Q8/10/svndicatin a- 
g oo g le-trends-kevwords-for.html 

8. http://vil.nai.eom/vil/content/v 143034.htm 

9. httP://blo a s.zdnet.com/securit v/? p=2328 

10. https://zeustracker.abuse.ch/monitor. php? 
i paddress=159.226.7.162 

11. http://ddanchev.blo as pot.com/2009/Q3/ethiopian- 
embassv-in-washin a ton-dc.html 

12. http://blo a s.zdnet.com/securit v/? p=2817 

13. http://ddanchev.blo as pot.com/2009/Q3/azerbai i anian- 
embassies-in-pakistan-and.html 

14. http://ddanchev.blo as pot.com/20Q9/01/embassv-of- 
india-in-spain-servin a .html 

15. http://ddanchev.blo as pot.com/20Q8/ll/embassv-of- 
brazil-in-india-compromised.html 

16. http://ddanchev.blo as pot.com/20Q8/01/dutch-embass v- 
in-moscow-servin a -malware.html 
























































17. http://ddanchev.blo as pot.com/2QQ7/Q9/us-consulate-st- 
petersbur a -servin a .html 


18. http://ddanchev.blo as pot.com/2QQ7/Q9/svrian-embass v- 
in-london-servin a .html 

19. http://ddanchev.blo as pot.com/2QQ7/12/have-vour- 
malware-in-timelv-fashion.html 
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A Diverse Portfolio of Fake Security Software - Part 
Sixteen (2009-03-26 13:08) 

The following are some of the very latest typosquatted 
rogue security software domains pushed through blackhat 

SEO, web site compromises, and systematic abuse of 
legitimate Web 2.0 services. 

yourstabilitysystem .com (209.44.126.14) 

onlinescanservice .com 

scanalertspage .com 

getscanonline .com 

bestfiresfull .com 

yourstabilitysystem .com 

mostpopularscan .com 

vistastabilitynow .com 


scanvistanow .net 

















vistastabilitynow .net 

central-scan .com (212.117.165.126) Maureen Whelan 
Email: maureenwhelanjr@googlemail.com 

royalsoftwareupdate .com 
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uptodate-protection .com 
updatesoftwarecenter .com 
webscannertools .com 

protectprivacyl8 .com (209.249.222.48) Arnes Skopec 
Email: arnessl2370@gmail.com 

malwarescanner20 .com 

antispyscannerl3 .com 

privacyscannerl5 .com 

easywinscannerl7 .com 

systemscannerl9 .com 

malwaredefender2009 .com (67.43.237.75) Josef Branc 
Email: jsfsl2341@googlemail.com 

systemguard2009 .com 

systemguard2009m .com 

angantivirus-2009 .com (70.38.73.26) 

angantivirus2009 .com 



check-ms-antivirus .com (78.26.179.131) Brett Quihuiz 
Email: BrettQuihuiz@gmail.com 

ms-loads-av .com (78.26.179.137) Hou Stephen Email: 
StepDunnu@gmail.com 

secure-data-group .com (209.8.45.147) Joseph Barnes 
Email: jhbarnes40@gmail.com 

dlmaldef09 .com (67.43.237.78) Josef Branc Email: 
jsfsl2341@googlemail.com 

dlsgd3 .com 

getsgd3 .com 

getsysgd09 .com 

getmaldef09 .com 

dlsg09 .com 

getsg09 .com 
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gomaldef09 .com (67.43.237.77) Josef Branc Email: 
jsfsl2341@googlemail.com 

gosgd3 .com 

gosysgd09 .com 

gosg09 .com 

anti-virus-2010-pro .info (70.38.19.201) Ivan Durov 
Email: idomains.admin@gmail.com 


av2010pro .com 
anti-virus-1 .info 
bestdownloadavl .info 
antivirusl-site .info 
anti-virus-2010-pro-downloads .info 
anti-virusl-installs .info 
webprotectionreads .com (94.247.3.74) 
stabilitytraceweb .com 
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safetyscanworld .com 
instantsecurityscanworld .com 
thestabilityinternetworld .com 
stabilityexamineguide .com 
scanusonline .com 
websafetynetscan .com 
websafetynetscan .com 
webstabilityscan .com 

[1] Bad, bad, cybercrime-friendly ISPs! 

Related posts: 

[2] A Diverse Portfolio of Fake Security Software - Part Fifteen 



[3] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[4] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[5] A Diverse Portfolio of Fake Security Software - Part Twelve 

[6] A Diverse Portfolio of Fake Security Software - Part Eleven 

[7] A Diverse Portfolio of Fake Security Software - Part Ten 

[8] A Diverse Portfolio of Fake Security Software - Part Nine 

[9] A Diverse Portfolio of Fake Security Software - Part Eight 

[10] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[11] A Diverse Portfolio of Fake Security Software - Part Six 

[12] A Diverse Portfolio of Fake Security Software - Part Five 

[13] A Diverse Portfolio of Fake Security Software - Part Four 

[14] A Diverse Portfolio of Fake Security Software - Part Three 

[15] A Diverse Portfolio of Fake Security Software - Part Two 

[16] Diverse Portfolio of Fake Security Software 

1. http://blo a s.zdnet.com/securit v/7 p = 2764 

2. http://ddanchev.blo as pot.com/2QQ9/Q2/diverse-portfolio- 
of-fake-securitv.html 

3. http://ddanchev.blo as pot.com/2QQ9/Ql/diverse-portfolio- 
of-fake-securitv.html 
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6. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse-Portfolio- 
of-fake-securitv_28.html 

7. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse-portfolio- 
of-fake-securitv 22.html 
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of-fake-securitv_16.html 

9. http://ddanchev.blo as pot.com/20Q8/lQ/diverse-portfoliQ- 
of-fake-securitv.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv_3Q.html 

11. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv 24.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv.html 

13. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv 25.html 

14. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv_2Q.html 

15. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfoUo-of-fake-securrifv.html 

16. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 




























































Summarizing Zero Day's Posts for March (2009-03- 
31 17:54) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for March. You can also go through 

previous summaries for [2]February, [3]January, 
[4]December, [5]November, [6]October, [7]September, 
[8]August 

and [9]July, as well as subscribe to my [10]personal RSS 
feed or [ll]Zero Day's main feed. 

Notable articles include: [ 12]lnside BBC's Chimera botnet 
and [13]Study: IE8's SmartScreen leads in malware 

protection. 

01. [14]Conficker worm to DDoS legitimate sites in March 

02. [15]Bad, bad, cybercrime-friendly ISPs! 

03. [16]Google downplays severity of Gmail CSRF flaw 

04. [17]USAID.gov compromised, malware and exploits 
served 

05. [18]lnternational Kaspersky sites susceptible to SQL 
injection attacks 

06. [19]New study details the dynamics of successful 
phishing 


07. [20]BBC team buys a botnet, DDoSes security company 
Prevx 

08. [21]Comcast responds to passwords leak on Scribd 

09. [22]Diebold ATMs infected with credit card skimming 
malware 

10. [23]Ex-botnet master hired by TelstraClear 

11. [24]Study: IE8's SmartScreen leads in malware 
protection 
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12. [25]Scareware meets ransomware: "Buy our fake 
product and we'll decrypt the files" 

13. [26]lnside BBC's Chimera botnet 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2QQ9/Q3/summarizin a- 
zero-da vs- posts-for.html 

3. http://ddanchev.blo as pot.com/2QQ9/Q2/summarizin a- 
zero-da vs- posts-for- i anuarv.html 














4. http://ddanchev.blo as pot.com/2QQ9/Ql/summarizin a- 
zero-da vs- posts-for.html 


5. http://ddanchev.blo as pot.com/2QQ8/12/summarizin a- 
zero-da vs- posts-for.html 

6. http://ddanchev.blo as pot.com/2QQ8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

7. http://ddanchev.blo as pot.com/2QQ8/lQ/summarizin a- 
zero-da vs- posts-for.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q8/summarizin a- 
zero-da vs- ppsts-foN ul v.html 

10. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=Q&s=Q&o=l&mode=rss 

11. http://feeds.feedburner.com/zdnet/securit v 

12. httP://blo a s.zdnet.com/securit v/? p=3Q45 

13. http://blo a s.zdnet.com/securit v/? p=2981 

14. http://blo a s.zdnet.com/securit v/? p=2754 

15. http://blo a s.zdnet.com/securit v/? p=2764 

16. httP://blo a s.zdnet.com/securit v/? p=2773 

17. http://blo a s.zdnet.com/securit v/? p=2817 

18. http://blo a s.zdnet.com/securit v/? p=2842 

19. http://blo a s.zdnet.com/securit v/? p=2846 

























































20. httP://blo a s.zdnet.com/securit v/? p=2868 

21. http://blo a s.zdnet.com/securit v/? p=290Q 

22. http://blo a s.zdnet.com/securit v/? p=2908 

23. http://blo a s.zdnet.com/securit v/? p=2976 

24. http://blp a s.zdnet.com/securit v/? p=2981 

25. http://blo a s.zdnet.com/securit v/? p=3014 

26. http://blo a s.zdnet.com/securit v/? p=3045 
114 


£ 


Diverse Portfolio of Fake Security Software - Part 
Seventeen (2009-03-31 17:58) 

The following are some of the currently active/about to go 
online rogue security software domains, and their 

associated payment gateways exposed in the spirit of the 
[l]Diverse Portfolio of Fake Security Software series. During 
the past two months, an obvious [2]migration of well known 
Russian Business Network customers continues taking 

place, with their portfolios of malicious campaigns currently 
parked several ISPs, zlkon.lv (DATORU EXPRESS SERVISS 

Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice 
for the time being, in the context of rogue security software. 

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14) 

desktoprepairpackage .com 























malwareremovingtool .com 
spywareprotectiontool .com 
pcantimalwaresolution .com 
pcsolutionshelp .com 
removespywarethreats .com 
yournetcheckonline .com (94.247.2.215) 
bestnetcheckonline .com 
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easynetcheckonline .com 
yourwebexamine .com 
bestwebexamine .com 
easywebexamine .com 
yourinternetexamine .com 
myinternetexamine .com 
linkcanlive .com 
yourwebscanlive .com 
easywebscanlive .com 
internethomecheck .com 
websecurecheck .com 
websportscheck .com 



websmartcheck .com 


yournetascertain .com 
yournetcheckpro .com 
bestwebscanpro .com 
security-check-center .com 
downloadantivirusplus .com 
theantivirusplus .com 
myantivirusplus .com 
safeyouthnet .com 
av-plus-support .com 
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antispywareproupdates .com (94.76.213.227) Jeanne M 
Bartels Email: dev@angelespd.com 

microsoft.infosecuritycenter .com 

microsoft.softwaresecurityhelp .com 

professionalupdateservice .com 

platinumsecurityupdate .com 

platinumsecurityupdate .com 

antispywarequickupdates .com (78.137.168.33) 


paymentsystemonline .com (213.239.210.54) Jerom M 
Collins Email: admin@routerpayments.com 

liveupdatesoftware .com 

royalsoftwareupdate .com 

protectionsoftwarecheck .com 

securitysoftwarecheck .com 

privateupdatesystem .com 
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updatesoftwarecenter .com 
updateprotectioncenter .com 
updatepcsecuritycenter .com 
powerdownloadserver .com 
rapidsoftwareupdates .com 
professionalsoftwareupdates .com 
allsoftwarepayments .com 
powerfullantivirusproduct .com 
securedprostatsupdates .cn 
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liveantimalwareproscan .com (91.211.64.47) Giang B 
Ahrens Email: chu-thi-huong@giang.com 


liveantimalwarequickscnan .com 

online-antimalware-scanner .com 

advancedprotectionscanner .com 

advancedproantivirusscanner .com 

securedsystemupdates .com (78.47.248.113) Anatoliy 
Lushko Email: tvdomains@lycos.com 

premiumworldpayments .com 

systemsecuritytool .com (209.44.126.16) 

systemsecurityonline .com 

internetsafetyexamine .com (91.212.65.55) 

youronlinestability .com 

promotion-offer .com (78.46.148.49; 85.17.254.158; 
88.198.233.225; 89.248.168.46) Email: Roland Peters 
roland-peters@europe.com 

During March, a new type of [3]scareware with elements of 
ransomware started circulating in the wild. It will 

be interesting to monitor whether it will become the de- 
facto standard for optimizing revenues out of rogue security 
software. 

Related posts: 

[4] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[5] A Diverse Portfolio of Fake Security Software - Part Fifteen 



[6] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[7] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[8] A Diverse Portfolio of Fake Security Software - Part Twelve 

[9] A Diverse Portfolio of Fake Security Software - Part Eleven 

[10] A Diverse Portfolio of Fake Security Software - Part Ten 
[11 ]A Diverse Portfolio of Fake Security Software - Part Nine 

[12] A Diverse Portfolio of Fake Security Software - Part Eight 

[13] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[14] A Diverse Portfolio of Fake Security Software - Part Six 

[15] A Diverse Portfolio of Fake Security Software - Part Five 

[16] A Diverse Portfolio of Fake Security Software - Part Four 

[17] A Diverse Portfolio of Fake Security Software - Part Three 

[18] A Diverse Portfolio of Fake Security Software - Part Two 

[19] Diverse Portfolio of Fake Security Software 

1. http://ddanchev.blo as DOt.com/20Q9/03/diverse-portfolio- 
of-fake-securitv.html 

2. http://blo a s.zdnet.com/securit v/7 p = 2764 

3. http://blo a s.zdnet.com/securit v/? p = 3014 















4. http://ddanchev.blo as pot.com/2QQ9/Q3/diverse-Portfolio- 
of-fake-securitv.html 

5. http://ddanchev.blo as pot.com/20Q9/Q2/diverse-portfolio- 
of-fake-securitv.html 

6. http://ddanchev.blo as pot.com/2QQ9/Ql/diverse-Portfolio- 
of-fake-securitv.html 

7. http://ddanchev.blo as pot.com/2QQ8/ll/diverse-portfolio- 
of-fake-securitv 12.html 

8. http://ddanchev.blo as pot.com/20Q8/ll/diverse-portfolio- 
of-fake-securitv.html 

9. http://ddanchev.blo as pot.com/20Q8/lQ/diverse-portfoliQ- 
of-fake-securitv 28.html 

10. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv 22.html 

11. http://ddanchev.blo as pot.com/2Q08/lQ/diverse- 
portfolio-of-fake-securitv 16.html 

12. http://ddanchev.blo as pot.com/2QQ8/10/diverse- 
portfolio-of-fake-securitv.html 
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13. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv_3Q.html 

14. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv 24.html 

15. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv.html 
























































16. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv_25.html 


17. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv_20.html 

18. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv.html 

19. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 
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Bogus Linkedln Profiles Redirect to Malware and 
Rogue Security Software (2009-04-01 17:38) 

From the automatically registered [l]bogus Linkedln profiles 
promoting pharmaceuticals campaign in February, to 

[2]January's malware campaign redirecting to malware Zlob 
variants and rogue security software, the malware gang 
behind both of these campaigns is once again showcasing 
its persistence. 

It gets even more interesting when a direct connection 
between January's, this very latest campaign, and the 

most recent massive [3]comment-spam attack at Digg.com, 
is established since the very same malware domains are 


















participating in all of the campaigns (e.g funkytube .net) 
Bogus Linkedln profiles for March: 

linkedin .com/in/keeleyhazellsextape 
linkedin .com/in/minimesextape 
linkedin .com/in/lindsaylohansextapel 
linkedin .com/in/vernetroyersextape 
linkedin.com/in/freejennifertoasteetoofsex 
linkedin .com/in/parishiltonsextapeq 
linkedin .com/in/britneyspearssextapeq 
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linkedin .com/in/carmenelectra 

linkedin .com/in/halleberrysexscene 

linkedin .com/pub/dir/tila tequila/sex 

linkedin .com/in/carmenelectrasexl 

linkedin .com/in/carmenelectrasexscenel 

linkedin .com/pub/dir/jennifer %20aniston/sex 
%20scene 

linkedin .com/in/lindsaylohansexl 
linkedin.com/in/olsentwinsnude 


Iinkedin.com/in/keiraknightleynude 
linkedin.com/in/christinaaguileradirrtyl 
linkedin.com/pub/dir/emma watson/wearing 
linkedin.com/in/trishstratusnude 
linkedin.com/pub/dir/ellen degeneres/gay 
linkedin.com/in/angelinajolienakedl 
linkedin.com/in/carmenelectranakedl 
linkedin.com/pub/dir/tila tequila/porn 
linkedin.com/pub/dir/emma watson/porn 
linkedin.com/pub/dir/disney's raven/symone nude 
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linkedin .com/pub/dir/olsen twins/camel toe 
linkedin .com/in/aliciamachadodesnuda 
linkedin .com/pub/dir/leighton meester/nude 
linkedin .com/in/katehudsonnude 
linkedin .com/in/jenniferanistonbangsl 
linkedin .com/in/hilaryduffnude2 
linkedin .com/in/adriennebailonnaked 
linkedin .com/in/jennifermorrisonnudel 
linkedin .com/in/jenniferlopezdesnuda 




linkedin .com/in/jennifergarnernudel 

linkedin .com/in/aishwaryaraiwearingnothing 

linkedin .com/in/isprinceharrygay 

linkedin .com/in/vanessahudgensnude 

linkedin .com/in/mariahcareynudel 

linkedin .com/pub/dir/olsen twins/nudity 

linkedin .com/pub/dir/denise richards/naked 

linkedin .com/pub/dir/kate mara/naked 

linkedin .com/in/carmencocksl 

linkedin .com/in/ravensymonebreast 

linkedin .com/in/adriennebailonnudephotos 

linkedin .com/pub/dir/shakira/nude 

linkedin .com/in/jenniferanistonnude 

linkedin .com/in/emmawatsonkissingsomeone 

Using a celebrities theme, all of these bogus accounts are 
linking to the same malware serving domains. The 

following central redirectors : 

oymomahon .com/fathulla/ll.html 
oymomahon .com/mirolim-video/3.html 
oymomahon .com/paqi-video/28.html 




muse. 100-celebrities .com/paqi-video/l.html 
nahyu .org/xxxx/ 
lk .pl/nufexz 

are then redirecting to another set of fake codec domains : 

xretrotube .com 
globextubes .com 
globalstube2009 .com 
globerstube .com 
spywareremover21 .com 
antispyscannerl3 .com 
privacyscannerl5 .com 
easywinscannerl7 .com 
systemscannerl9 .com 
sgviralscan .com 

to ultimately direct the visitor to the actual binaries: 

nahyu .org/xxx/video/teens _fuck_orgyll.mpeg.exe 

[4]detection rate 

loyaldown99 .com/codec/186.exe - [5]detection rate 

kol-development .com/viewtubesoftware.40012.exe 

[6]detection rate 
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Despite the fact that [7]real-time/event-based blackhat 
search engine optimization is gaining popularity these days, 
blackhat SEO in its very nature relies on huge bogsus 
content farms, using a diverse theme-based set of content, 
usually generated in an automated fashion. Real-time 
blackhat SEO or standard volume-based blackhat SEO as a 

tactic of choice? Does it really matter given that from the 
perspective of tactical warfare, combining well proven 
tactics results in high click-through/infection rates for the 
campaigns in question. 

Related posts: 

[8] Blackhat SEO Redirects to Malware and Rogue Software 

[9] The Invisible Blackhat SEO Campaign 

[10] Attack of the SEO Bots on the .EDU Domain 

[11] pOrn.gov - The Ongoing Blackhat SEO Operation 

[12] The Continuing .Gov Blackat SEO Campaign 

[13] The Continuing .Gov Blackhat SEO Campaign - Part Two 

[14] Rogue RBN Software Pushed Through Blackhat SEO 

[15] Massive Blackhat SEO Targeting Blogspot 

[16] Blackhat SEO Campaign at The Millennium Challenge 
Corporation 

[17] Fake Porn Sites Serving Malware 

[18] Fake Porn Sites Serving Malware - Part Two 

[19] Fake Celebrity Video Sites Serving Malware 



[20] Fake Celebrity Video Sites Serving Malware - Part Two 

[21] Fake Celebrity Video Sites Serving Malware - Part Three 

[22] The Template-ization of Malware Serving Sites 

[23] The Template-ization of Malware Serving Sites - Part Two 
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Inside a Zeus Crimeware Developer's To-Do List 
( 2009 - 04-08 20 : 39 ) 

Every then and now I get asked a similar question in regard 
to crimeware kits - which is the latest version of a particular 
crimeware/web malware exploitation kit? 

The short answer is -1 don't know. And I don't know not 
because I'm a victim of an outdated situational 

awareness, but due to the fact that nowadays third-party 
developers are so actively tweaking it that coming up with a 
version number would be inaccurate from my perspective. 
Therefore, whenever I provide such a version number, I try 
to emphasize and provide practical examples of how the 
current decentralization of coding from the core authors to 
third-party developers and, of course, scammers brand 
jacking the Zeus brand, is making the answer a little bit 
more complex than it may seem at the first place. 

For instance, cybercriminals themselves have been 
capitalizing on this situation during the last two quarters, 

by speculating with the version numbers and offering 
backdoored copies of non-existent Zeus releases, [l]in a 
















attempt to hijack their Zeus botnets at a later stage - a 
practice that [2]phishers have been taking advantage of for 
a while. Anyway, once I'm able to sort of cluster a particular 
third-party developer's persistence in tweaking the Zeus 
crimeware kit, an interesting picture emerges. For instance, 
a team member from a third-party developer of backend 
systems for botnets that came up with the [3]built-in MP3 
player in a Zeus release, is also directly involved 126 
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in developing the backend system and GUI for [4]the 
Chimera botnet which the British Broadcasting Corporation 

purchased last month. 

Let's discuss the way the version number system in the 
Zeus crimeware, before we take a peek at a recent 

CHANGELOG, and a future TO-DO list from one of the third- 
party developers. Zeus version a.b.c.d means that 

change in A stands for a complete change in the bot, B 
stands for major changes that make previous bot versions 
incompatible, C stands for modifications and performance 
boosting, and D is a prophylactic change in order to avoid 
antivirus solutions from detecting it. 

The Q &A applied in Zeus can be easily seen by taking a 
peek at some of the changes that took place in De¬ 
cember, 2008 : 

" Change 10.12.2008 

- Documentation will no longer be available in a CHM 
format, instead in a plain-text format 


- The bot is a now able to receive commands not only by 
using the send command function, but also during requests 
for files and logs changes 

- Local data requests to the server and the configuration file 
can be encrypted with RC4 key depending on your choice 

- In order to decrease the load on the server, a fully updated 
bot-to-server and server-to-bot communication protocol is 
introduced 
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Change 20.12.2008 

- Small error fixed when sending reports 

- The size of the report cannot exceed 550 characters 

- Error fixed in the bot due to low timeout for sending POST 
requests resulting in dropping requests for log files bigger 
than 1 MB 

Change 2.03.2009 

- Changed the default cryptor routines 

- Updated process of building the bot 

- Optimized compressed of the binary 

- Rewritten the process of assembling the configuration file 

- Changed the MyMSQL tables 

- Fixed fonts in the panel due to bogus displaying of 
characters 



- Updated Geolocation database " 

The following "To-Do" list, pretty similar to another one 
which I discussed last year ([5]A Botnet Master's To-Do List). 
What's to come in the Zeus crimeware kit, at least courtesy 
of a sampled third-party developer? The 

following features have been in the works for several 
months now: 

" - Compatibility with Windows Vista and Windows 7 

- Improved Win API hooking 

- Random generation of configuration files to avoid generic 
detection" 

- Console-based builder 

- Version supporing x86 processors 

- Full IPv6 support 

- Detailed statistics on antivirus software and firewalls 
installed on the infected machines " 

The Zeus crimeware is not going away from the radar 
anytime soon, and the main reason for that is not the 

fact that its exclusive features outperform the ones in the 
Limbo crimeware and the Adrenalin crimeware, but due to 
the fact that Zeus has a much bigger fan base, and well 
established third-party community around it. 

Image courtesy of [6]Abuse.ch's Zeus Tracker - the one that 
[7]got DDoS-ed in February due to its apparent 


usefulness. 
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Exploitable Flaw 

1. http://ddanchev.blo as pot.com/2QQ9/Q2/help-someone- 
hii acked-mv-100k-zeus.html 

2. http://blo a s.zdnet.com/securit v/7 p = 1641 

3. http://ddanchev.blo as pot.com/2QQ8/Q9/modified-zeus- 
crimeware-kit-comes-with.html 

4. http://blo a s.zdnet.com/securit v/? p = 3Q45 
128 

5. http://ddanchev.blo as pot.com/2008/Q4/botnet-masters- 
to-do-list.html 

6. https://zeustracker.abuse.ch/mon itor. ph p?filter=on line 





















7. http://blo a s.zdnet.com/securit v/? p = 2596 


8. http://ddanchev.blo as pot.com/2QQ9/Q3/crimeware-in- 
middle-ljmbo.html 

9. http://ddanchev.blo as pot.com/20Q9/Q2/crimeware-in- 
middle-adrenalin.html 


10. http://ddanchev.blo as pot.com/2QQ8/Q4/crimeware-in- 
middle-zeus.html 


11. http://ddanchev.blo as pot.com/2QQ8/Q8/76service- 
c vbercrime-as-service- a oin a .html 

12. http://ddanchev.blo as pot.com/2QQ8/12/zeus-crimeware- 
as-service- a oin a .html 

13. http://ddanchev.blo as pot.com/2QQ8/ll/modified-zeus- 
crimeware-kit- a ets.html 

14. http://ddanchev.blo as pot.com/2QQ8/Q9/modified-zeus- 
crimeware-kit-comes-with.html 


15. http://ddanchev.blo as pot.com/2QQ8/ll/zeus-crimeware- 
kit- g ets-cardin g -lavout.html 

16. http://ddanchev.blo as pot.com/2QQ8/Q6/zeus-crimeware- 
kit-vulnerable-to.html 

129 




A Diverse Portfolio of Fake Security Software - Part 
Eighteen (2009-04-08 21:26) 

With [l]Microsoft's latest Security Intelligence Report 
indicating that [2]scareware/fake security software 







































continues growing, it's worth exposing some of the currently 
circulating rogue security software domains, their 
registrants, and the usual "Deja Vu" moment putting the 
spotlight on well-known RBN web properties, whose 
exposure demonstrates that some of the groups that I've 
been tracking are still alive and kicking, but this time are 
much more actively monetizing their cybercrime 
committing capabilities. 

avs-online-scan .org (209.250.241.164) Oleg Bajenov 
Email: oleg.bajenov@gmail.com 

av-lookup .org 

am-scan .com 
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system-scan-1 .biz 
sys-scanner-1 .biz 
sys-scan-wiz .biz 
scanner-wiz-1 .com 

webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: 
RosalindRLewis@text2re.com 

webprotectionscan .com 

greatvirusscan .com 

beststabilityscans .com 

todaybestscan .com (174.129.241.185; 

174.129.244.106; 



209.44.126.14) Elliott Cameron Email: 
sup- 

port@zitoclick.com; Anatolij Andreev Email 
yeep33@gmail.com 

thebestsecurityspot .com 

securitytopagent .com 

inetsecuritycenter .com 

fullandtotalsecurity .com 

activesecurityshield .com 

getpcguard .com 

websecurityvoice .com 

onlinescanservice .com 

scanalertspage .com 

scanbaseonline .com 

bestsecurityupdate .com 

getsecuritywall .com 

bestfiresfull .com 

initialsecurityscan .com 

websecuritymaster .com 


runpcscannow .com 



thegreatsecurity .com 
truescansecurity .com 
checkonlinesecurity .com 
spy-protector-pro .com 
DNS servers of notice: 
nsl.ahuliard .com 
ns2.ahuliard .com 
nsl.fuckmoneycash .com 
ns2.fuckmoneycash .com 
nsl.zitodns .com 
ns2.zitodns .com 

Now comes the deja vu moment. At 174.129.241.185 and 
174.129.244.106 we also have parked ilovemyloves .com 

one of the [3]domains used in the iFrame attack during the 11 
[4]Possibility Media's Malware Fiasco" back in 2007 

which was then parked at the RBN's HostFresh ifrastructure 
(58.65.239.28). Behind the malware campaign back then 
was the [5]New Media Malware Gang" ([6]Part Three; [7]Part 
Two and [8]Part One) which was not only using RBN 

services, but was directly cooperating with the Storm Worm 
authors. Among their most recent campaigns was the 

groups direct involvement in the malware campaigns at 
[9]the Azerbaijanian Embassies in Pakistan and Hungary. 



It gets even more interesting to see what they're up to in 
2009, considering the fact that they have also parked 
domains used (174.129.241.185 and 174.129.244.106) in 
currently ongoing Facebook phishing campaign, which is 
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switching themes from Match.com to Classmates.com : 

facebook. shared. id-pegxaaei62.emberui web 
.765access.com 

facebook. shared. id-0izlud0w6j. la unchpad 
.765access.com 

f acebook. shared. id-6oxyclcpus. initiated 
.765access.com 

facebook. shared. id-6xcse5q79c.usermanage 
.765access.com 

facebook.shared.id-9q0bfta8bf.login .765access.com 

facebook.shared.id-l8rz3d87j7.processlogon 

.765access.com 

f acebook. shared. id-m071qcxkf 3. version 
.765access.com 

f acebook. shared. id-ao7zx28bhw. identification 
.765access.com 

f acebook. shared. id-usxeye68vn.secureconnection 
.765access.com 

facebook. shared. id-lc9i4p09yi. disbursements 
.765access.com 



facebook. shared. id-6y8nzpemkx.securedocuments 
.765access.com 

facebook. shared. id-0ulo0e9gyj.cebma inservlet 
.765access.com 

f acebook. shared. id-4bl6kzpiuk.ceptservlet 
.765access.com 

f acebook. shared. id-xqa6odo94z. content 
.765access.com 

facebook.shared.id-5ul0q3vp8q.completeserv 

.765access.com 

facebook.shared.id-ql2fzhydat.intvitation 

.9845account.com 

facebook.shared.id-5ajv5861qd.securedocuments 

.9845account.com 

f acebook. shared. id-3dcznhmord. statement 
.9845account.com 

f acebook. shared. id-o6lo04atww. statement 
.9845account.com 

The group has clearly diversified its activities, but continues 
relying on its well known portfolio of domains as a 
foundation. 
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Conficker's Sea re ware/Fake Security Software 
Business Model (2009-04-14 19:55) 

It doesn't take a rocket scientist to conclude that sooner or 
later the people behind [l]the Conficker botnet had to 
switch to monetization phase, and start earning revenue by 
using well proven business models within the cybercrime 
ecosystem. 

Interestingly - at least for the time being - there's no 
indication of mainstream advertising propositions offering 
partitioned pieces of the botnet, managed fast-fluxing 
services ([2]Managed Fast Flux Provider; [3]Managed Fast 
Flux Provider - Part Two), hosting of [4]scams and [5]spam, 
examples of which we've already seen related cases 

where a [6]money mule recruitment agency was using 
ASProx's fast-flux network services, next to [7]Srizbi's 
botnet managed spam service propositions. 

How come? Pretty simple, starting from the fact that 
[ 8 ]sc are ware/fake security software as a monetization 

process remains [9]the most liquid and efficiently 
monetized asset the underground economy has at its 
disposal. The scheme is so efficient that the money 
circulating within the affiliate networks are often an easy 
way for cybercriminals to quickly money launder large 
amounts of money in a typical win-win revenue sharing 
scheme. 
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The [10]Conficker gang is monetization-aware, that's for 
sure. But they forget a simple fact - that in a cybercrime 
ecosystem visibility is not just proportional with decreased 
OPSEC ([lljViolating OPSEC for Increasing the Probability of 
Malware Infection), but also, that despite their risk- 
decreasing revenue sharing model, the " follow the money 
trail" practice becomes more and more relevant. 

The most recent variant ([12]Net-Worm.Win32.Kido.js) is the 
group's second attempt to monetize the botnet, 

following by the original Conficker variant's traffic converter 
connection [13]pushing fake security software. According to 
Aleks Gostev at Kaspersky Labs: 

" One of the files is a rogue antivirus app, which we detect 
as FraudTool. Win32.SpywareProtect2009.s. 

The 

first version of Kido, detected back in November 2008, also 
tried to download fake antivirus to the infected machine. 

And once again, six months later, we've got unknown 
cybercriminals using the same trick. The rogue software, 
5pywareProtect2009, can be found on spy-protect- 
2009. com., spywrprotect-2009.com, 
spywareprotector-2009.com. " 

Regular researchers/law enforcement followers of [14]the 
Diverse Portfolio of Fake Security Software series are pretty 
familiar with the SpywareProtect brand. Therefore, it's time 
to familiarize ourselves with the rogue SpywareProtect 
through the revenue earning scheme the latest Conficker 
variant is using. Among the currently active/recently 



registered SpywareProtect portfolios are managed by 

Geraldevich Viktus Email: krutoymen2009@inbox.ru 

and conveniently just like Kaspersky states, are all parked in 
Ukraine. 

In case you remember according to SRI International's 
[15]Analysis of the Conficker worm, the authors did sig¬ 
nal a national preference since the first release " randomly 
generates IP addresses to search for additional victims, 
filtering Ukraine IPs based on the GeoiP database. " and also 
" Conficker A incorporates a Ukraine-avoidance routine that 
causes the process to suicide if the keyboard language 
layout has been set to Ukrainian. " followed by a third 
Ukrainian lead, namely the fact that " on 27 December 2008 
we stumbled upon two highly suspicious connection 
attempts that might link us to the malware authors. 
Specifically, we observed two Conficker B URL requests sent 
to a Conficker A Internet rendezvous point: * Connection 1: 
81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 

200.68.XX.XXX -Alternativagratis.com, Buenos Aires, 
Argentina." 
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SpywareProtect's current portfolio is hosted in Ukraine as 
follows: 

spy-wareprotector2009 .com (94.232.248.53) Ukraine 
Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC 

spyware-protector-2009 .com 

spy-protect-2009 .com 


spywprotect .com 

The second portfolio is also parked in Ukraine as follows: 

sysguard2009 .com (195.245.119.131) AS34187, 
RENOME-AS Renome-Service: Joint Multimedia Cable 
Network 

Odessa, Ukraine 

swp2009 .com 
spwrpr2009 .com 
alsterstore .com 
adwareguard .net 
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In a typical multitasking fashion, a connection between 
some of these very latest SpywareProtect portfolios (e.g 
spywrprotect-2009 .com) can be established with Zeus 
crimeware campaigns, since particular droppers have been 
known to have been installing the scareware next to Zeus 
crimeware used to be hosted at the following locations: 

[16] capitalex .ws/adv.bin (213.155.10.176) 

[17] cashtor .net/tor22/tor.bin (91.193.108.222) 

[18] goldarea .biz/adv.bin (91.197.130.39) 

It's also worth pointing out that every time the Conficker 
authors claim their payments from the affiliate net¬ 
work in question, they expose themselves which makes me 
wonder one thing. Are the hardcore Conficker authors 



directly earning revenue out of the scareware, or are they 
basically partitioning the botnet and selling it to someone 
who's monetizing it and naturally breaking-even out of their 
investment? 

In a network whose activities will inevitably start converging 
with the rest of the cybercrime ecosystem's par¬ 
ticipants' activities - [19]the Waledac connection - it's 
crucual to keep the track-down-and-prosecute process 

as simple as possible. In this case - the Conficker 
authors'/customers of their botnet services [20]asset 
liquidity obsession, may easily end up in someone's $250k 
reward claim. Patience is a virtue. 
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Twitter Worm Mikeyy Keywords Hijacked to Serve 
Scareware (2009-04-15 22:26) 

Not necessarily in real-time ([l]Syndicating Google Trends 
Keywords for Blackhat SEO) but sc a re ware/fake security 
software distributors quickly attempted to [2]capitalize on 
the anticipated traffic related to this weekend's [3]Twitter 
XSS worm StalkDaily/Mikeyy. 

What's particularly interesting about this campaign, is not 
the fact that all of the currently active domains are operated 
by the same individual/group of individuals or that their 
blackhat SEO farms are growing to cover a much wider 
portfolio of keywords. 
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It's a tiny usa.js script (e.g myl.dynalias .org/usa.js) 

hosted on all of the domains, which takes advantage of a 
simple evasive practice - referrer checking in order to serve 
or not to serve the malicious content. 

For instance, deobfuscated the script checks whether the 
user is coming from the following search engines var se 

= new ArrayCgoogle", "msn", "aol.com", "yahoo", " 
Comcast"); if (document.referrer)ref = 
document.referrer; . 

If the user/researcher is basically wandering around, a 
blackhat SEO page with no malicious redirections would be 
served. 
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The following are all of the currently active and participating 
domains/subdomains: 

tran.tr.ohost .de 

actual.homelinux .com 

achyutheil.ac.ohost .de 

aprln.getmyip .com 

east.homeftp .org 

myl.dynalias .org 

my2.dynalias .org 

my3.dnsalias .org 

my5.webhop .org 
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The redirection process consists of two layers. The first one 
is redirecting to hjgf .ru/go.php?sid = 5 (88.214.198.25) 
and then to msscan-files-antivir .com (195.88.81.93), 
and the second one takes place through a well [4]known 
malicious doorway redirecting domain hqtube .com/to 
_traf _holder.html (88.85.66.116) that either serves a fake 
codec that's dropping the scareware, or [5]the scareware 
itself from files.ms-load-av .com. The rest of the 
seareware/fake security software domains participating in 
the campaigns are as follows: 


msscan-files-antivir .com (195.88.81.93) - Coi Carol 
Email: carOstaO@gmail.com 

hot-girl-sex-tube .com - Erica Thomas Email: 
gerrione@gmail.com 

msscan-files-antivir .com 

msscanner-top-av .com - Mui Arnold Email: 
arnoebr@gmail.com 

msscanner-files-av .com 

antivir-4pc-ms-av .com -Jason Munguia Email: 
jasmung@gmail.com 

The bottom line - the campaign looks like a typical event- 
based blackhat SEO portfolio diversification practice. 
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A Diverse Portfolio of Fake Security Software - Part 
Nineteen (2009-04-16 17:24) 

You know things are getting out of hand when the scareware 
ecosystem scales to the point when typosquatted 

scareware domains offering removal services for the very 
same scareware distributed under multiple brands. 

In response to the potential [l]Conficker-ization of the 
scareware business, part nineteen of the Diverse Port¬ 
folio of Fake Security Software is the most massive update 
since the series started, and with a reason - to [2]squeeze 
the cybercrime ecosystem, and ruin their [3]malicious 
economies of scale revenue [4]generation approaches. 

Here are the most recent additions, with their associated 
registrant emails for clustering, cross-checking, and case 
building purposes: 
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vundofixtool .com (174.132.250.194) 

remove-winpc-defender .com 
remove-virus-melt .com 
remove-ultra-antivir-2009 .com 
remove-ultra-antivirus-2009 .com 
remove-total-security .com 
remove-system-guard .com 


remove-spyware-protect-2009 .com 
remove-spyware-protect .com 
remove-spyware-guard .com 
remove-personal-defender .com 
remove-ms-antispyware .com 
remove-malware-defender .com 
remove-ie-security .com 
remove-av360 .com 
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remove-antivirus-360 .com 
remove-a360 .com 
av360removaltool .com 
antivirus360remover .com 
remove-winpc-defender .com 
remove-virus-melt .com 
remove-virus-alarm .com 
remove-ultra-antivirus-2009 .com 
remove-ultra-antivir-2009 .com 
remove-total-security .com 


gotipscan .com (66.197.154.199) Robert Sampson Email: 
bausness@gmail.com 

scanline6 .com 

scanstep6 .com 

scanbest6 .com 

goscandata .com 

goscanhigh .com 

true6scan .com 
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any6scan .com 
golitescan .com 
gofanscan .com 
gotipscan .com 
gostarscan .com 
goluxscan .com 
goonlyscan .com 
scan6step .com 
goscanstep .com 


scan6fast .com 


scanline6 .info 


scanlog6 .info 
Iinescan6 .info 
mainscan6 .info 
log6scan .info 
main6scan .info 

addedantiviruslive .com (94.247.2.215) Administrative 
Email: werracruz99008@gmail.com 
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searchrizotto .com 
easyaddedantivirus .com 
yourcountedantivirus .com 
av-plus-support .com 
yourguardonline .cn 
easydefenseonline .cn 
bestprotectiononline .cn 
yourguardstore .cn 
examinepoisonstore .cn 
freecoverstore .cn 
myexaminevirusstore .cn 



bestexaminedisease .cn 
yourfriskdisease .cn 
friskdiseaselive .cn 
bestdefenselive .cn 
bigprotectionlive .cn 
bigcoverlive .cn 
easyserviceprotection .cn 
easypersonalprotection .cn 
myascertainpoison .cn 
yourguardpro .cn 
refugepro .cn 
mycheckdiseasepro .cn 
yourcheckpoisonpro .cn 
bigdefense2u .cn 
newguard4u .cn 
mydefense4u .cn 
bestcover4u .cn 
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fullsecurityshield .com (209.44.126.14) Gregory Bershk 
Email: bershkapull@gmail.com 

greatsecurityshield .com 

trustsecurityshield .com 

anytoplikedsite .com 

topsecurityapp .com 

inetsecuritycenter .com 

securitytopagent .com 

thebestsecurityspot .com 

topsecurity4you .com 

fullandtotalsecurity .com 
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extrantivirus.com (94.75.209.11) 

rapid-antivir-2009.com 

rapid-antivir2009.com 

rapidantivirus2009.com 

rapidantivirus09.com 

rapidantivirus.com 

ultraantivirus2009.com 


soft-traffic.com 


seresult.com is a traffic management domain for the 
campaign (e.g seresult .com/go.php?id=3466) 
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greatstabilitytraceonline .com (94.247.3.4) Jacquelyn 
Jain Email: jacquelynjjain@gmail.com 

beststabilityscan .com 

beststabilityscans .com 

esnetscanonline .com 

greatstabilitytraceonline .com 

greatvirusscan .com 

networkstabilitytrace .com 

onlinestabilityscanada .com 

protectionexamine .com 

quickstabilityscan .com 

safetyexamine .com 

stabilityinetscan .com 

stabilitysolutionslook .com 

swiftsafetyexamine .com 


149 


webprotectionscan .com 
webwidesecurity .com 

scanmix4 .com (63.146.2.92) Clifford Barton Email: 
learni co@gmail.com 

bestscan? .com 

goscandata .com 

scan7live .com 

new7scan .com 

godatascan .com 

gosidescan .com 

goluxscan .com 

goonlyscan .com 

goscanstep .com 

scantool4 .info 

newscan4 .info 

scannew4 .info 

tool4scan .info 
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exstra-av-scanner .net (78.26.179.237) Joan Oglesby 
Email: extra.antivirus@gmail.com 


msantivir-storage .com 
ms-antivirus-storage .com 
goodproantispyware .com 
ms-antivir-scan .com 
anispy-storage-ms .com 
ms-av-storage-best .com 
antivir-scanner-ms-av .com 
msscan-files-antivir .com (195.88.81.93) 
hot-girl-sex-tube .com 
msscan-files-antivir .com 
msscanner-top-av .com 
msscanner-files-av .com 
antivir-4pc-ms-av .com 
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ultraantivirus2009 .com (64.86.17.9) 
virusalarmpro .com 
vmfastscanner .com 
mysuperviser .com 
pay-virusdoctor .com 


virusmelt .com 


payvirusmelt .com 
mysupervisor .net 

msscanner-top-av .com (195.88.81.93) 
msscanner-files-av .com 
antivir-4pc-ms-av .com 
hot-girl-sex-tube .com 

antivirus-av-ms-check .com (78.26.179.131) 
antivirus-av-ms-checker .com 
ms-anti-vir-scan .com 
mega-antiviral-ms .com 

extremetube09 .com (94.247.2.7) Mariya Latinina Email 
I atini na40@gmail.com 

softupdate09 .com 

extrafastdownload .com 

myrealtube .net 
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extraantivir .com (206.53.61.74) 

no-as-scanner .com (195.88.81.37) Roy Latoya Email: 
latoysmith@gmail.com 


pro-scanner-av-pc .com 



tantispyware .com (65.110.60.123; 65.110.60.122) 

webantispy .com 

pantispyware09 .com 

fastantivirus09 .com (94.75.209.74) 

Blacklisting -until the domains themselves get suspended - 
the scareware domains proactively protects your 

customers from the "final output" of a huge percentage of 
attacks taking advantage of [5]blackhat SEO, [6]SQL 

injection, [7]site compromise, [8]malvertising, and 
[9]automatic abuse of Web 2.0 services through human- 
based 

CAPTCHA solving such as [10]Digg; [lljLinkedln, [12]Bebo, 
[13]Picasa and ImageShack, [14]YouTube and [15]Google 
Video. 
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A CCDCOE Report on the Cyber Attacks Against 
Georgia (2009-04-16 19:20) 

Following the coverage of my M [l]Coordinated Russia vs 
Georgia cyber attack in progress" research in the 
[2]Georgian government's official report "[3]Russian 
Cyberwar on Georgia" (on page 4), I was very excited to find 
out that a report by [4]NAT0's Cooperative Cyber Defense 
Centre of Excellence entitled "[5]Cyber Attacks Against 
Georgia: Legal Lessons Identified" and authored by Eneken 
Tikk, Kadri Kaska, Kristel Runnimeri, Mari Kert, Anna-Maria 
Tali-harm, Liis Vihul, is not only [6]quoting me extensively, 
but has also reproduced the entire research within the 
Annexes. 

Looks great! 

Recommended reading: 

[7] DDoS Attack Graphs from Russia vs Georgia's 
Cyberattacks 
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[8] The Russia vs Georgia Cyber Attack 














[9] Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth 

[10] People's Information Warfare Concept 

[11] Combating Unrestricted Warfare 

[12] The Cyber Storm II Cyber Exercise 

[13] Chinese Hacktivists Waging People's Information 
Warfare Against CNN 

[14] The DDoS Attacks Against CNN.com 
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Networks 
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Massive Blackhat SEO Campaign Serving Scareware 
(2009-04-22 19:57) 

Over the past couple of days, I've been monitoring yet 
another massive blackhat SEO campaign consisting of the 

typical hundreds of thousands of already crawled bogus 
pages serving [l]scareware/fake security software. 

Later on Google detected the campaign and removed all the 
blackhat SEO farms from its index, which during the 

time of assessment were close to a hundred domains with 
hundreds of subdomains, and thousands of pages within. 

And despite that the abuse notifications for some of the 
central redirection domains proved effective, it took 
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the cybercriminals approximately 24 hours to catch up, and 
once again start hijacking search queries, in a combination 
of scareware, and pay per click redirections. 

It's worth pointing out that this very latest campaign is 
directly related to [2]last's week's keywords hijacking 
blackhat SEO campaign, with both campaigns relying on 
identical redirection domains, and serving the same 
malware. Who's behind these search engine poisoning 
attacks? An Ukranian gang monetizing the hijacked traffic 
through the usual channels - scareware and reselling of the 
anticipated traffic. 

The first stage of the campaign was relying on mainstream 
media titles within its pages such as USA News; BBC 

News; CNN News as well as Hottest info! ; HOT NEWS; 
Official Website and Official Site, thereby making it fairly 
easy to expose their portfolio of domains. 
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Interestingly, the cybercriminals appear to have detected 
the activity - certain traffic management kits can log 
attempts of wandering around - and removed the titles, 
which combined with the typical referrer checking made 

the campaign a bit more evasive : 

"" var 

ref, i, is 


se=0; 


var 


se 


new 

ArrayC google. msn. yahoo. ", "bldcomcast."," aol. 
"," dead"); if(document. referrer)ref=document. ref errer; 
else ref=""; for(i=0;i<5;i ++" 11 

Once the user visits any of the domains within the portfolio, 
with a referrer check confirming he used a search engine to 
do so, two javascripts load, one dynamically redirecting to 
the portfolio of fake security software, and the other logging 
the visit using an Ukrainian web site counter service 
(c.hit.ua/hit?i = 6058 &g=0 &x=2 &s=l &c = l &t=420 

&w=1024 &h = 768 &d = 24 &0.5505934176708958 
&r= &u = http %3A//13news.hobby- 
site, com/counter, js') 160 




The most recent list of of domains on popular DNS services 
is as follows. Sub-domains within are excluded 

since there are several hundred currently active per domain 

Okfzzl .us - 95.168.172.202 - Email: 
diannefostergcei@yahoo.com 

52ubih .us - 95.168.172.198 - Email: 
joeminoryhjb@yahoo.com 

5nw8b3 .us - 95.168.172.193 - Email: 
carolynfosteruwwi@yahoo.com 


60mptk .us - 95.168.172.192 - Email: 
bernadettehockadayfedt@yahoo.com 

6ry4nv .us - 95.168.172.191 - Email: 
markpackvesa@yahoo.com 

77m8uh .us - 95.168.172.190 - Email: 
miguelbellhyes@yahoo.com 

axnwpy .us - 95.168.172.204 - Email: 
hungsandfordoehx@yahoo.com 

bumgli .us - Email: coobybrown3@gmail.com 

cqxuhk .us - 95.168.172.203 - Email: 
michaelkoontzutae@yahoo.com 

dfkghdf .us - 212.95.58.49 - Email: umora@live.com 

dfwdowrly .us - Email: orest@hotmail.ru 

edtbcm .us - 95.168.172.198 - Email: 
warrenskinnerumpi@yahoo.com 

edu4life .us - Email -joh.n.ebrilo@gmail.com 

fc4oih .us - 95.168.172.187 - Email: 
florencemclaughlinovpp@yahoo.com 

fcbcwo .us - 89.149.216.146 - Email: 
dorisnaupkou@yahoo.com 

fpq58z .us - 95.168.172.205 - Email: 
thomassoileautysz@yahoo.com 

fzjt82 .us - 95.168.172.188 - maryevansarpl@yahoo.com 
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gfor8g .us - Email: christopherdockinsptdg@yahoo.com 

gotpig .us - Email: BeatriceJBrown@text2re.com 

hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com 

hk2april .us - 78.159.122.123 - Email: zainez@gmail.com 

hk3april .us - 78.159.122.137 - Email: zainez@gmail.com 

hno6sh .us - 89.149.238.12 - Email: 
alfredmeadenzcy@yahoo.com 

i2u6nr .us - 95.168.172.202 - Email: 
jameshendricksxuwg@yahoo.com 

ik3trends .us - 88.214.198.14 - Email: 
akililewis@gmail.com 

itn92j .us - Email: nicholasmanoicdmg@yahoo.com 

j4vre4 .us - bettyfavorsiqzv@yahoo.com 

kzq2i2 .us - 89.149.229.157 - Email: 
robertmitchellrswv@yahoo.com 

I5ykp6 .us - 95.168.172.195 - Email: 
chrishuntpjzc@yahoo.com 

Ih85uk .us - 95.168.172.200 - Email: 
susannelsonggyp@yahoo.com 

Ip24april .us - 89.149.228.129 - Email: 
ramerod@gmail.com 

m9nvzp .us - 89.149.216.50 - Email: 
jenniferduncanakcq@yahoo.com 



mmOOapril .us - 212.95.55.115 - Email: 
brevno3@gmail.com 

mm99april .us - 78.159.122.91 - Email: 
brevno3@gmail.com 

n5y3m8 .us - 89.149.243.86 - Email: 
imogenegreenrqqr@yahoo.com 

na8nw2 .us - 89.149.216.146 - Email: 
jeremyfitchcupl@yahoo.com 

oag3h8 .us - 95.168.172.200 - Email: 
susanspidelesig@yahoo.com 

polapril .us - 212.95.55.138 - Email: preadzz@gmail.com 

po3april .us - 78.159.122.93 - Email: preadzz@gmail.com 

pp6sqo .us - 95.168.172.197 - Email: 
connierobertsolni@yahoo.com 

pr061r .us - 89.149.216.146 - Email: 
shirleywardauof@yahoo.com 

qdhccy .us - Email: shark@nightmail.ru 

qq338p .us - 89.149.221.36 - Email: 
debragonzalezyplu@yahoo.com 

repszp .us - 89.149.221.36 - Email: 
christinamerrillzzhd@yahoo.com 

rrgtnm .us - 95.168.172.203 - Email: 
josephelliskozc@yahoo.com 

rt658y .us - 89.149.207.33 - Email: 
luannamcgeeiqwb@yahoo.com 



rzi6rj .us - 95.168.172.189 - Email: 
leatriceporterlhbz@yahoo.com 

scsrn8 .us - 95.168.172.201 - Email: 
donnabrownpgpa@yahoo.com 

t9xu44 .us - 95.168.172.194 - Email: 
robertbissettezeub@yahoo.com 

trfddp .us - 89.149.243.89 - Email: 
davidwilliamsqljt@yahoo.com 

up3xv7 .us - Email: dennismontantecoco@yahoo.com 

vecy5r .us - Email: merlynsmithsqxm@yahoo.com 

vlj5jn .us - 95.168.172.196 - Email: 
angelostewartqfoq@yahoo.com 

vr31qo .us - 95.168.172.199 - Email: 
christinearcherzhqz@yahoo.com 

wk7iie .us - 95.168.172.204 - Email: 
jewellnakashimalgny@yahoo.com 

x2ar3e .us - Email: bobbielopezeits@yahoo.com 

xe24py .us - 89.149.243.138 - Email: 
johnbarberprfi@yahoo.com 

xecuk8 .us - 95.168.172.194 - Email: 
lutheralfaronloz@yahoo.com 

yl8ais .us - 89.149.216.147 - Email: 
meredithflackflub@yahoo.com 

yqfvp4 .us - 78.159.96.84 - Email: 
julierussellnnro@yahoo.com 



zvlewrms .us - Email: ygovoruhin@list.ru 

zxelld .us - 95.168.172.195 - Email: 
christopherlewisxghb@yahoo.com 

zy7itf .us - 89.149.207.244 - Email: 
cindyruizixqr@yahoo.com 

13news.doesntexist .com 
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13news.hobby-site .com 
17news.endofinternet .net 
18news.homeftp .org 
19news.blogdns .com 
19news.dnsdojo .org 
19news.gotdns .com 
19news.kicks-ass .org 
19news.servebbs .com 
22news.blogdns .com 
creditratingguide. hobby-site.com 
disneyearrings .hobby-site.com 
flatbellydiet .hobby-site.com 
hydrangacutflowers .hobby-site.com 
isa-geek .org 



mxzsaw .hobby-site.com 

mysteryterms .hobby-site.com 

The rotated seareware/fake security software domains 
include: scan-antispyware-4pc .com - parked at 
195.88.81.93 

the same [3]portfolio of fake security software domains 
which I warned that by blocking you would proactively 

protect your customers from black hat SEO campaigns - like 
this one for instance 

pcvistaxpcodec .com 

onlinevirus-scannerv2 .com 

av-antispyware .com 

scan-antispy-4pc .com 

fastviruscleaner .com 

securityhelpcenter .com 

scan-antispy-4pc .com 

scanner-work-av .com 

scanner-antispy-av-files .com 

adwarealert .com 

proantispyware .com 
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Download locations/related fake codec redirections: 

winpcdownlO .com (194.165.4.77) 
suckitnowl .com 
winpcdown99 .com 
loyaldown99 .com 
codecxpvista .com 
wincodecupdate .com 
velzevuladmin .com 
tubeloyaln .com 
wedare.tubeloyaln .com 
lamer.tubeloyaln .com 

billingpayment.netcodecs.tubeloyaln .com 
videosz.tubeloyaln .com 

loyal-porno .com - the same domain was recently exposed 
in [4]the same blackhat SEO campaign 

win-pc-defender .com 

codecvistaz .com 

loyalvideoz .com 

Sample detection rates: 

litetubevideoz .net/codec/277.exe - [5]detection rate 



winpcdown99 .com/pcdef.exe - [6]detection rate 
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winpcdown99 .com/file.exe - [7]detection rate 

setup.adwarealert .com/setupxv.exe - [8]detection rate 

files.seanner-antispy-av-files .com/exe/setup 
_200093 _1 _l.exe - [9]detection rate 

Monitoring of the campaign would continue. 
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[19] Massive Blackhat SEO Targeting Blogspot 
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Spamvertised Swine Flu Domains (2009-04-28 22:27) 

The people behind the ongoing [l]swine flu spam campaign 
have either missed their marketing lectures, haven't 














































been to any at all, or are simply too lazy - their processing 
order is not even using SSL - to fully exploit the marketing 
window opened by the viral oubreak - the majority of 
[2]spamvertised domains are redirecting to your typical 

Canadian Pharmacy scam, instead of [3]swine flu related 
templates. 

Swine flu spamvertised domains: 

lijgihab.cn; jihkohab.cn; litgukab.cn; namyalab.cn; 
waytipab.cn; ritlarab.cn; bersoxab.cn; xaqkabeb.cn; 
jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; qiwqoreb.cn; 
zajbaveb.cn; zacniyeb.cn; baqnubib.cn; zephecib.cn; 
texlocib.cn; fedpijib.cn;meysujib.cn; qoltujib.cn; 
mukwujib.cn; buljakib.cn; cutcurib.cn; bejdasib.cn; 
xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; 
sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; 
gasfexob.cn; pocdiyob.cn; 

kujroyob.cn; mirlacub.cn; kixqucub.cn; rovjudub.cn; 
jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; 

hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; 
qebhuvub.cn; duvlixub.cn; tiqceyub.cn; cogwibac.cn; 
minku- 

cac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; 
wefmunac.cn; cexfopac.cn; wejpopac.cn; dovniqac.cn; 
mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; 
tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; 
fajnahec.cn; wobfojec.cn; saybilec.cn; siyjoqec.cn; 
gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; 
nedsicic.cn; xorpilic.cn; bulxopic.cn; kisniric.cn; beszesic.cn; 
hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; 
hahwikoc.cn; 166 



labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; 
mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; 

capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; 
pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; 

qivbiruc.cn; vahraxuc.cn; camxezuc.cn; tomyubad.cn; 
sohmifad.cn; sukgogad.cn; kossehad.cn; mopwijad.cn; 

pagtujad.cn; nohxokad.cn; pugvuqad.cn; bapvusad.cn; 
wekzetad.cn; lozfoyad.cn; vuppoyad.cn; forvafed.cn; 

cetcofed.cn; dadrofed.cn; sacvahed.cn; qoqgoled.cn; 
madwemed.cn; rilgeped.cn; voydewed.cn; liyxozed.cn; reg- 

mihid.cn; bujquhid.cn; damtuqid.cn; nifhosid.cn; 
dapfotid.cn; yofkibod.cn; roghudod.cn; gacpagod.cn; 
xijhihod.cn; japtikod.cn; meyrilod.cn; patjulod.cn; 
hixvunod.cn; towqotod.cn; ridnuxod.cn; vevteyod.cn; 
deqgobud.cn; lilnedud.cn; rusdehud.cn; zidpajud.cn; 
qibxenud.cn; xixvasud.cn; yapqitud.cn; xuldeyud.cn; 
nacyeyud.cn; ciknezud.cn; qiwsuzud.cn; leblidaf.cn; 
timpejaf.cn; vacxamaf.cn; nugnosaf.cn; xawpicef.cn; 
beqnahef.cn; kumhulef.cn; somnimef.cn; pejyunef.cn; 
zuwpikif.cn; bixvikif.cn; sajbipif.cn; vikqipif.cn; xotdaxif.cn; 
qalrezif.cn; xuhkudof.cn; lijsofof.cn; gimvufof.cn; 
kofgehof.cn; xixgikof.cn; percaqof.cn; nifjarof.cn; xivqirof.cn; 
rucmusof.cn; yizsatof.cn; qihqutof.cn; devqivof.cn; 
mijvaxof.cn; kiyvayof.cn; bubduyof.cn; pohfabuf.cn; 
zudsaduf.cn; tuhfehuf.cn; yaytumuf.cn; fumtinuf.cn; 
gibkesuf.cn; xaqqivuf.cn; wandawuf.cn; faqloyuf.cn; 
paqhizuf.cn; nowzacag.cn; xowjicag.cn; nolyodag.cn; 
tavyafag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; 
namyalab.cn;waytipab.cn; ritlarab.cn; bersoxab.cn; 


xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; 
qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; 

zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; 
qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; 
bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; 
juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; 
kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; 
mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; 
tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; 
zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; 
duvlixub.cn; tiqceyub.cn; 

cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; 
jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; we- 

jpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; 
lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; 
jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; 
saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; 
sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; 
bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; 
linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; 
labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; 
mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; 
capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; 
pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; 167 

vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; 
sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; 
nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; 
lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; 
dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; 
rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; 
bujquhid.cn; 



damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; 
roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; 
meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; 
ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; 
rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; 
yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; 
qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; 
nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; 
somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; 
sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; 
lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; 
percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; 
qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; 
bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; 
yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; 
wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; 
xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbe- 
nag.cn; gafkiqag.cn; lijgihab.cn; jihkohab.cn; litgukab.cn; 
namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; 
xaqkabeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; 
qiwqoreb.cn; zajbaveb.cn; zacniyeb.cn; baqnubib.cn; 

zephecib.cn; texlocib.cn; fedpijib.cn; meysujib.cn; 
qoltujib.cn; mukwujib.cn; buljakib.cn; cutcurib.cn; 
bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; 
juvyidob.cn; sowgugob.cn; buhbulob.cn; tonjotob.cn; 
kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; 
mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; 
tusyajub.cn; gixxukub.cn; mospomub.cn; hixmipub.cn; 
zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; 
duvlixub.cn; tiqceyub.cn; 

cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; 
jovsogac.cn; juwcolac.cn; wefmunac.cn; cexfopac.cn; we- 



jpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; 
lirquwac.cn; latzoyac.cn; tuwbazac.cn; motjudec.cn; 
jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; 
saybilec.cn; siyjoqec.cn; gehgixec.cn; gajdezec.cn; 
sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; 
bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; 
linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hahwikoc.cn; 
labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; 
mefbuqoc.cn; xeclaroc.cn; qurburoc.cn; wupqatoc.cn; 
capjebuc.cn; wofmufuc.cn; boxxiguc.cn; zeffehuc.cn; 
pegvijuc.cn; bubkenuc.cn; fixfunuc.cn; qivbiruc.cn; 
vahraxuc.cn; camxezuc.cn; tomyubad.cn; sohmifad.cn; 
sukgogad.cn; kossehad.cn; mopwijad.cn; pagtujad.cn; 
nohxokad.cn; pugvuqad.cn; bapvusad.cn; wekzetad.cn; 
lozfoyad.cn; vuppoyad.cn; forvafed.cn; cetcofed.cn; 
dadrofed.cn; sacvahed.cn; qoqgoled.cn; madwemed.cn; 
rilgeped.cn; voydewed.cn; liyxozed.cn; regmihid.cn; 
bujquhid.cn; 

damtuqid.cn; nifhosid.cn; dapfotid.cn; yofkibod.cn; 
roghudod.cn; gacpagod.cn; xijhihod.cn; japtikod.cn; 
meyrilod.cn; patjulod.cn; hixvunod.cn; towqotod.cn; 
ridnuxod.cn; vevteyod.cn; deqgobud.cn; lilnedud.cn; 
rusdehud.cn; zidpajud.cn; qibxenud.cn; xixvasud.cn; 
yapqitud.cn; xuldeyud.cn; nacyeyud.cn; ciknezud.cn; 
qiwsuzud.cn; leblidaf.cn; timpejaf.cn; vacxamaf.cn; 
nugnosaf.cn; xawpicef.cn; beqnahef.cn; kumhulef.cn; 
somnimef.cn; pejyunef.cn; zuwpikif.cn; bixvikif.cn; 
sajbipif.cn; vikqipif.cn; xotdaxif.cn; qalrezif.cn; xuhkudof.cn; 
lijsofof.cn; gimvufof.cn; kofgehof.cn; xixgikof.cn; 
percaqof.cn; nifjarof.cn; xivqirof.cn; rucmusof.cn; yizsatof.cn; 
qihqutof.cn; devqivof.cn; mijvaxof.cn; kiyvayof.cn; 
bubduyof.cn; pohfabuf.cn; zudsaduf.cn; tuhfehuf.cn; 
yaytumuf.cn; fumtinuf.cn; gibkesuf.cn; xaqqivuf.cn; 
wandawuf.cn; faqloyuf.cn; paqhizuf.cn; nowzacag.cn; 



xowjicag.cn; nolyodag.cn; tavyafag.cn; hujrulag.cn; sodbe- 
nag.cn; gafkiqag.cn; remqavag.cn 

Happy blacklisting/cross-checking! 

Related posts: 

[4] lnside an Affiliate Spam Program for Pharmaceuticals 

[5] Love is a Psychedelic, Too 

[6] Pharmaceutical Spammers Targeting Linkedln 

[7] Fast-Flux Spam and Scams Increasing 

[8] Storm Worm Hosting Pharmaceutical Scams 

[9] 0ver 80 percent of Storm Worm Spam Sent by 
Pharmaceutical Spam Kings 

[lOjlncentives Model for Pharmaceutical Scams 

1 . 

http://www.avertlabs.com/research/blo a /index. oh p/2009/04/ 
27/swine-flue-spam/ 

2. http://blo a s.zdnet.com/securit v/? p = 3233 

3. http://www.f-secure.com/weblo a /archives/00001668.html 
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4. http://blo a s.zdnet.com/securit v/? p = 2054 

5. http://ddanchev.blo as pot.com/20Q7/10/love-is- 
ps vchedelic-too.html 


















6. http://ddanchev.blo as DOt.com/2QQ9/Q2/pharmaceutical- 
s pammers-tar a etin a .html 


7. http://ddanchev.blo as pot.com/2Q07/lQ/fast-flux-spam- 
and-scams-mcreasin a .html 

8. http://ddanchev.blo as pot.com/2QQ8/Q5/storm-worm- 
hostin a- pharmaceutical-scams.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q7/over-80-percent- 
of-storm-worm-spam-sent.html 

10. http://ddanchev.blo as pot.com/2QQ7/lQ/incentives- 
model-for-pharmaceutical.html 
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Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two (2009-04-29 14:32) 

From the lone Chinese [1]SQL injectors empowered with 
[2]point'n'click tools for massive SQL injection attacks, to 
the much more efficient and automated botnet approach 
courtesy of the, for instance, [3]ASProx botnet the process 
of [4]automatically fetching URLs from public search 
engines in order to build hit lists for verifying against 
remote file inclusion attacks and potential SQL injections, 
remains a commodity feature in a great number of newly 
released malware bots. 

In 2004, the [5]Santy worm advertised the feature to the 
not so efficiently centered hordes of script kiddies back 
then. Due to its simplicity, but huge potential for abuse, the 
concept of SQL injections through search engines 


























reconnaissance has not only reached a real-time syndication 
with the latest remotely exploitable web application 
vulnerabilities, but has also converged with [6]remote file 
inclusion checks, local file inclusion checks, and 170 
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ip2geolocation to unethically pen-test a particular country 
going beyond its designated domain extension. 

A recently released malware bot is once again empowering 
the average script kiddie with the possibility to take 
advantage of the window of opportunity for each and every 
remotely exploitable web application flaw featured at 
Milworm, based on its real-time syndication of the exploits. 
Moreover, the IRC based bot is also featuring a console 
which allows manual exploitation or intelligence gathering 
for a particular site. 

Some of the features include: 

- Remote file inclusion 

- Local file inclusion checks () 

- MySQL database details 

- Extract all database names 

- Data dumping from column and table 

- Notification issued when Google bans the infected host for 
automatically using it 

The commoditization of these features results in a situation 
where the window of opportunity for abusing a 


particular web application flaw is abused much more 
efficiently due to the fact that reconnaissance data about its 
potential exploitability is already crawled by a public search 
engine - often in real time. 

The concept, as well as the features within the bot are not 
rocket science - that's what makes it so easy to 

use. 

Related posts: 

[7] Massive SQL Injection Attacks - the Chinese Way 

[8] Yet Another Massive SQL Injection Spotted in the Wild 
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[9] Obfuscating Fast-fluxed SQL Injected Domains 

[10] Smells Like a Copycat SQL Injection In the Wild 
[lljSQL Injecting Malicious Doorways to Serve Malware 

[ 12]SQL Injection Through Search Engines Reconnaissance 
[ 13jStealing Sensitive Databases Online - the SQL Style 

[14] Fast-Fluxing SQL injection attacks executed from the 
Asprox botnet 

[15] Sony PlayStation's site SQL injected, redirecting to 
rogue security software 

[16] Redmond Magazine Successfully SQL Injected by 
Chinese Hacktivists 



1. http://ddanchev.blo as DOt.com/2QQ7/Q5/ a oo a le-hackin a- 
for-vulnerabilities.html 

2. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
ini ection-attacks-chinese.html 

3. http://blo a s.zdnet.com/securit v/? p = 1122 

4. http://ddanchev.blo as pot.com/2QQ7/07/sal-in i ection- 
throu a h-search-en a ines.html 

5. 

http://news.netcraft.com/archives/2QQ4/12/21/santv_worm 
s preads throu a h ph pbb forums.html 

6. http://ddanchev.blo as pot.com/2007/Q4/compilation-of- 
web-backdoors.html 

7. http://ddanchev.blo as pot.com/2QQ8/10/massive-sa l- 
ini ection-attacks-chinese.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q5/vet-another- 
massive-sal-in i ection.html 

9. http://ddanchev.blo as pot.com/20Q8/Q7/obfuscatin a -fast- 
f1uxed-sal-in i ected.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q7/smells-like- 
cop vcat-sal-in i ection-m.html 

11. http://ddanchev.blo as pot.com/2QQ8/Q7/sal-in i ectin a- 
maHicjous-doorwavs-to.html 

12. http://ddanchev.blo as pot.com/2QQ7/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

13. http://ddanchev.blo as pot.com/2QQ8/Q5/stealin a- 
sensitive-databases-online-sal.html 
































































14. http://blo a s.zdnet.com/securit v/? p=1122 

15. http://blo a s.zdnet.com/securit v/? p=1394 

16. http://blo a s.zdnet.com/securit v/? p=1118 
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419 Scam Artists Using NYTimes.com 'Email this' 
Feature (2009-04-30 23:03) 

In times when more and more [l]scammers/spammers are 
getting [2]DomainKeys verified, others are finding 

adaptive ways to increase the probability of bypassing 
antispam filters. 

Take for instance this 419s scam artist, that's been pretty 
active in his scamming attempts as of recently. 
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Basically, he's exploiting the fact that he's allowed to enter 
a message within NYTimes.corn's 'Email this" feature, 
whereas it will successfully reach the potential victim based 
on clean IP reputation of NYTimes - and sadly, he's right 
since he's already sending scam messages through the 
following accounts registered at the site: 

douglas _999@live.fr 

douglas77@live.fr 

mamadou _sanou@live.fr 











markkaboreO@yahoo.fr 
abdelkll@hotmail.fr 
sulem _musa@live.fr 
davidbchirot@hotmail.com 
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His excuse for using NYTimes.com? -" Based on the bank 
high sensitiveness and security i have decided to contact 
you outside the bank's sever IP for a beneficial transaction. 


Another scam that I've been tracking for a while is using a 

new 11 Hand bag stolen at Barcelona air port" social 
engineering attempt, and is attaching scanned copies of 
real baggage loss documents in order to improve the 

truthfulness of the scam. Pretty catchy if you don't know 
what [3]advance fee fraud is. 

1. http://ddanchev.blo as oot.com/2QQ8/Q9/spam-campai an- 
abusin a- vahoos-services.html 

2. http://ddanchev.blo as pot.com/20Q8/Q9/hi i ackin a-s pam- 
campai a ns-cnck-throu a h.html 

3. http://en.wikipedia.or a /wiki/Advance_fee_fraud 
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Summarizing Zero Day's Posts for April (2009-05-01 
10:05) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for April. You can also go through 
previous summaries for [2]March f [3]February, [4]January, 
[5]December, [6]November, [7]October, [8]September, 
[9]August 

and [ 10]JuIy, as well as subscribe to my [ll]personal RSS 
feed or [12]Zero Day's main feed. 

Notable articles include: [13]Google's CAPTCHA experiment 
and the human factor; [14]Conficker's estimated 

economic cost? $9.1 billion and [15]Twitter hit by multiple 
variants of XSS worm. 

01. [16]Conficker worm's copycat Neeris spreading over IM 

02. [17]Paul McCartney's official site serving malware 

03. [18]Fake "Conficker Infection Alert" spam campaign 
circulating 

04. [19]Twitter hit by multiple variants of XSS worm 
05. [20]Scareware pops-up at FoxNews 
06. [21]Waledac botnet spamming fake SMS spying tool 
07. [22]Twitter worm author gets a job at exqSoft Solutions 


08. [23]Google's CAPTCHA experiment and the human 
factor 

09. [24]Hackers hijack DNS records of high profile New 
Zealand sites 

10. [25]New ransomware locks PCs, demands premium SMS 
for removal 

11. [26]Conficker's estimated economic cost? $9.1 billion 
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12. [27]Swine flu email scams circulating 

13. [28]Online broker CommSec criticised for weak 
passwords, lack of SSL 

14. [29]Survey: 37 % of employees would become insiders 
given the right incentive 

15. [30]French hacker gains access to Twitter's admin panel 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2QQ9/03/summarizin a- 
zero-da vs- posts-for-march.html 

3. http://ddanchev.blo as pot.com/2QQ9/Q3/summarizin a- 
zero-da vs- posts-for.html 

4. http://ddanchev.blo as pot.com/2QQ9/Q2/summarizin a- 
zero-da vs- POSts-foM anuarv.html 

5. http://ddanchev.blo as pot.com/2QQ9/Ql/summarizin a- 
zero-da vs- posts-for.html 






















6. http://ddanchev.blo as DOt.com/2QQ8/12/summarizin a- 
zero-da vs- posts-for.html 


7. http://ddanchev.blo as pot.com/2QQ8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

8. http://ddanchev.blo as pot.com/2QQ8/lQ/summarizin a- 
zero-da vs- posts-for.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q8/summarizin a- 
zero-da vs- posts-for- i ul v.html 

11. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=0&s=0&o=l&mode^rss 

12. http://feeds.feedburner.com/zdnet/securit v 

13. http://blo a s.zdnet.com/securit v/? p=3178 

14. http://blo a s.zdnet.com/securit v/? p=3207 

15. http://blo a s.zdnet.com/securit v/? p=3125 

16. http://blo a s.zdnet.com/securit v/? p=3093 

17. http://blo a s.zdnet.com/securit v/? p=3098 

18. http://blo a s.zdnet.com/securit v/? p=3105 

19. http://blo a s.zdnet.com/securit v/? p=3125 

20. http://blo a s.zdnet.com/securit v/? p=3140 

21. http://blo a s.zdnet.com/securit v/? p=3162 
























































22. http://blo a s.zdnet.com/securit v/? o=3170 

23. http://blo a s.zdnet.com/securit v/? o=3178 

24. htto://blo a s.zdnet.com/securit v/? p=3185 

25. http://blo a s.zdnet.com/securit v/? o=3197 

26. http://blo a s.zdnet.com/securit v/? o=3207 

27. htto://blo a s.zdnet.com/securit v/? p=3233 

28. htto://blo a s.zdnet.com/securit v/? p=3255 

29. http://blo a s.zdnet.com/securit v/? o=3278 

30. http://blo a s.zdnet.com/securit v/? o=3292 
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Dissecting a Swine Flu Black SEO Campaign (2009- 
05-06 16:05) 

Remember the Ukrainian greup ef cyber criminals that was 
respcnsible fcr last week's [l]massive blackhat SEO 

campaign that was serving scareware, fellcwed by the 
[2]timely hijacking pf Mickeyy worm keywords a week 
earlier to once again serve rogue security software? 

They are back with new blackhat SEO farms which they 
continue monetizing through [3]rogue security soft¬ 
ware. Time to dissect their latest campaign and expose their 
malicious practices. 
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Once having most of their previous domains 
blacklisted/shut down, the group naturally introduced new 
ones, and 

changed the search engine optimization theme to swine flu, 
in between a variation of their previous one relying on 
catchy titles such as USA News; BBC News; CNN News as 
well as Hottest info!; HOT A/El/I/5; Official Website and 
Official Site. 

Upon visiting the site, an obfuscated iFrame statically 
hosted on all of the participating domains in the form of 

2qnews.07x .net/images/menu.js redirects the user to 
sexerotika2009 .ru/admin/red/en.php (74.54.176.50; 
Email: rebsdtis@land.ru). Are you noticing the [4]directory 
structure similarities? Appreciate my rhetoric, it's last 
month's 

[5]blackhat SEO gang with a new portfolio of domains. 
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What follows is the usual referrer check : " var ref,i,is _se=0; 
var se = new ArrayC'google.", "msn.", "yahoo.", "comcast- 

.","aol."); " from where the user is redirected to 

liveavantbrowser2 ,cn/go.php?id = 2022 
&key=4c69e59ac &p=l 

(83.133.123.140) acting as central redirection point to the 
typosquatted portfolio of rogue security software domains. 


The 


original 

scareware 

domain 

vrusstatuscheck 
.com/l/?id = 2022 
&smersh=a9fd94859 
&back= 

%3DjQ51TTlMUQMMI %3DN - (69.4.230.204; 
38.99.170.209; 78.47.172.66; 78.47.91.153; 
94.76.212.239; 

94.102.48.28) is exposing the rest of the scareware 
([6]detection rate) portfolio with the following domains 
parked at these IPs: 

antivirusbestscannervl .com 

antivirus-powerful-scanv2 .com 

antivirus-powerful-scannerv2 .com 

virusinfocheck .com 

vrusstatuscheck .com 

adware-removal-tool .com 

lquickpcscanner .com 



Ispywareonlinescanner .com 
lcomputeronlinescanner .com 
lbestprotectionscanner .com 
securityhelpcenter .com 
antivirus-online-pro-scan .com 
securedonlinecomputerscan .com 
antispywarepcscanner .com 
securedvirusscanner .com 
virusinfocheck .com 
antivirusbestscannervl .com 
antispywareupdateservice .com 
platinumsecurityupdate .com 
antispywareupdatesystem .com 
onlineupdatessystem .com 
softwareupdatessystem .com 
securedpaymentsystem .com 
infosecuritycenter .com 
antispywareproupdates .com 
securedsoftwareupdate .cn 
securedupdateslive .cn 



thankyouforinstall .cn 
securityupdatessystem .cn 
securedsystemresources .cn 
securedosupdates.cn 
windowssecurityupdates .cn 

Once executed it downloads Microsoft's original thank you 
note (update.microsoft.com/windowsupdate/v6/t- 

hanks.aspx), and confirms the installation so that the 
blackhat SEO campaigners will receive a piece of the pie at 

securedliveuploads .com/?act=fb &1=0 &2=0 
&3 = kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc 
&4=eebajf-jafekaifnbddghoclg &5=22 &6=1 &7 = 63 
&8=31 &9=0 &10=1 


Related phone-back locations: 

liveavantbrowser2 .cn - (83.133.123.140) 
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securedliveuploads .com 
liveavantbrowser2 .cn 
awardspacelooksbig .us 
crytheriver .biz 
softwareupdatessystem .com 
securedsoftwareupdate .cn 


securedupdateslive .cn 
securedosupdates.cn 

Blackhat SEO subdomains at the free web site hosting 
services: 

2qnews.07x .net 
2rnews.07x .net 
lnews.07x .net 
lknews.07x .net 
lxnews.07x .net 
gerandong.07x .net 
kort.07x .net 
30newsx.07x .net 
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4dnews.07x .net 
4dnews.07x .net 
laptop.07x .net 
30newsf.07x .net 

Blackhat SEO domains participating in the second multi¬ 
theme campaign: 


01may2009 .us 


mlml8test .us 
mlml7test .us 
mlm21test .us 
mlmlltest .us 
mlml6test .us 
mlm20test .us 
mlml5test .us 
mlml4test .us 
mlml3test .us 
mlmlltest .us 
mlml5test .us 
mlml9test .us 
f9o852test .us 
f9o851test .us 
f9o87test .us 
f9o86test .us 
f9o5test .us 
f9o8test .us 
ff7test5 .us 


g2gltest .us 



Blackhat SEO domains participating in the third campaign: 

greg-page-boxing.6may2009 .com - 212.95.58.156 

dualsaw.06may2009 .com 

craigslist-kiMer.5may2009 .com 

Upon clicking, the user is redirected to berusimcom 
.com/t.php?s=18 &pk=, then to the SEO keyword logger 

at berusimcom .com/in.cgi?18 &seoref= 
&parameter= $keyword &se= $se &ur= 1 &HTTP 
_REFERER=nf1-draft.5may2009 .com &ppckey=, and 

then exposed to another portfolio of rogue security software 
([7]detection rate) at hot-porn-tubes.com/promo3/? 
aid = 1361 &vname=antivirus - 78.129.166.166; 
91.212.132.12, with the following domains parked at the 
same IPs: 

xxxtube-for-xxxtube .com 
youporn-for-free .com 
xtube-xmovie .com 
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free-xxx-central .com 
xtube-downloads .com 
porn-tube-movies .com 
my-fuck-movies .com 
niche-tube-videos-here .net 


free-tube-video-central .net 



tubezzz-boobezzz .net 


hot-tube-tuberzzz .net 

Persistence must be met with persistence. 

1. http://ddanchev.blo as pot.com/2QQ9/04/massive-blackhat- 
seo-campai a n-servin a .html 

2. http://ddanchev.blo as pot.com/2QQ9/Q4/twitter-worm- 
mike v v-kevwords-h ii acked.html 

3. http://ddanchev.blo as pot.com/2QQ9/04/diverse-portfolio- 
of-fake-securitv 16.html 

4. 

http://4.bo.blo as pot.com/ wlCHhTiOmrA/Se83RHR2Gwl/AAA 
AAAAADkA/-aXt_tCa3_k/sl6QQ-h/blackhat_seo_news scare 

ware 11. I PG 

5. http://ddanchev.blo as pot.com/2QQ9/Q4/massive-blackhat- 
seo-campai a n-servin a .html 

6 . 

http://www.virustotal.com/analisis/18e8d52529e7fQd58bd7 

06663058d341 

7. 

http://www.virustotal.com/analisis/565faeb69959c4dfal6fa 

a449ebd8a05 
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Spamvertised Swine Flu Domains - Part Two (2009- 
05-06 16:20) 
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Dating Spam Campaign Promotes Bogus Dating 
Agency (2009-05-06 19:45) 

From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, 
Irina, Hot Julia, Ane4ka, Nastya, and Yulia, to the [lJLonely 
Polina and the [2]malware and exploits serving girls, 
Russian/Ukrainian dating scams are still pretty active these 
days. 

A recently spammed dating campaign exposes the 
fraudulent practices of a well known such agency (Confi¬ 
dential Connections) that has been [3]changing its name, 
typosquatting new domains in order to remain beneath the 
radar, a bit of an awkward practice given their noisy 
spamming approach of attracting visitors. 

The spam's message: 

186 


£ 


" Good day, my gentleman! 

All love is probationary, a fact which frightens women and 
exhilarates men. I believe that unarmed truth and 
unconditional love will have the final word in reality. I was 
born in a friendly, cultured family and would like to have the 
same family in my own life. I love nature, flowers, music, 
dancing. I like to receive guests at home and spend time 
with friends. I always try to use opportunity to travel and 
see new places in the world. I have a good, quite and merry 
character, don't like argues and rows. I hope to meet a 


white man, Christian, clever. Besides I would like to meet a 
good person with a good sense of humor, who wants to 
create a good strong family, if you would be loved, love and 
be lovable. I am waiting for you http://iam-waiting4love 
. com/infinity/ 

Waiting for your mail 

Sveetlana B. " 

The user is then asked to register at hifor-you 
.com/register.php followed by an email confirmation 
explaining how the agency/scam at ualadys .com 
(76.74.250.239 Email: Tyoml3@aol.com) works: 
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" We view ourselves as more of MATCHMAKERS than a mere 
Introduction Company. We DO NOT BUY OR SELL 

addresses of Ladies from other agents. Rather, we take the 
time and effort to meet each Lady referred to us in person, 
interview her at length, checkout her credentials to make 
sure her intentions are proper, before she gets hosted as 
our client. It is this knowledge of the Ladies that allows us to 
select the right persons to introduce to each man. 
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Compatibility is the KEY Our formula is simple, yet highly 
productive: 

1. You fill out our profile, same as the Ladies 


2. Select the Ladies you would like to meet 

3. Until you have a predetermined amount of Ladies reply 
with a yes 

4. During your trip meetings are scheduled on a private, 
one-on-one setting, with an interpreter to assist you (if you 
require one) We know that your time is limited when you go 
on trip. This is a very efficient selections process that saves 
your time and, in fact, allows you the extra time to really 
get to know the Ladies. 

AH meetings are one-on-one. We do not organize socials 
that do not work. Our service is usually based upon a male 
clients access to time and his available budget. The normal 
procedure is for a client to look through our gallery of 
Ladies, select the Ladies for pre-qualification, and 
correspond with them by e-mail or phone, than arrange a 
one-on-one visit. Still others, after viewing the Ladies, 
decide that the best overall approach would be to simply go 
there and meet as many women as we can arrange for 
them to meet, and spend time with them before making a 

decision. 
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Also experiencing first-hand their environment and culture 
gives the man a future understanding of his future bride. 

OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 
95 % SUCCESS RATE! Again, the reason for this is the 

growing frustration among the Ladies about the lack of 
follow through the men, Consequently, many Ladies do not 


respond to letters, knowing that few ever follow through. 
They simply wait to meet the men who go there. THUS, THE 
SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE 
SERIOUS. 

During our Special Photoshoot Trips (e-mail for dates); you 
will get an opportunity to watch and meet new 

Ladies. Many times, clients pick these new Ladies because 
they are fresh and no one has ever met them before. We 
have quite a few Ladies who have never made it to the 
gallery because they got engaged immediately to the men 
who went no trips. " 

The agency is also [preserving the right to forward the 
responsibility for any fraudulent activities to the girls, the 
majority of which do not exist at the first place in the 
following way: 

All scam patterns have similarities that are very 
easy to spot if you know what to watch out for: 

• Usually the contact originates from a personals site where 
anyone can place his/her ad for free. Most often 

it was not you who initiated the acquaintance; you received 
a letter from a lovely Russian female who was 

interested in you. *Her* description of the partner is always 
very broad that will fit anybody - "kind intelligent 190 

man, age and race don't matter". 

• Sometimes *she* places a real nice discription and lovely, 
INNOCENT pictures, with honest eyes and kind smile. 


You will initiate the acquaintance. 



• It is always email correspondence; and letters are sent 
regularly, often every day; a new picture is sent with almost 
every letter. 

This is very entertaining since the agency is driving traffic to 
its domains through spamming. The full list of spammed 
domains part of the campaign : 

love-f-emale .com - 62.90.136.207 

i-amsingle .com 

for-you-from-me .com 

destinycombine .com 

with-hope-for-love .com 

iam-waiting4love .com 

allisloveandlove .com 

amourwedding .com 

adorelovewon .com 

andiloveyoutoo .com 

attractive-ladies .com 

luckyheatrs .com 

sunwants .com 

myloving-heart .com 

touchmy-heart .com 



dreams-about-lady .com 
fillinglove .net 
createyourlove .net 
buildyour-happylove .net 
tender-woman .net 
make-family .net 
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There's something "ingenious" about this type of dating 
scams, since the bogus dating agency can forward the scam 
responsibility to the non-existent girls at the first place. 
Moreover, despite the countless number of email credits, 
flowers and photos that you've purchased by using the 
agency's commercial services, the non-existent girl can 
always reserve the right not to meet or interact with you in 
any way. And even if there are actual girls working for the 
ad agency on a revenue-sharing basis, the agency silently 
makes money by reserving its right to ruin your return on 
investment no matter how much and what you spend on 
their site. 

Now, that's a business model scamming the gullible and the 
lonely, which from a legal perspective - excluding 

the spamming - can in fact be legal in the country of 
operation due to the eventual mis-matching of characters. 


UPDATE: 


The people from M [5]Confidential Connections" have a long 
history of spamming/scamming activities. Here are more 
related resources: 

[6]A first-person account: 
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" ..ua la dies... I work as a guide and translator for guys 
seeking a wife in Ukraine, and a client just came to me who 
was due to meet a girl from this agency. Im so wound up by 
the actions of this agency that i am going to post this 
thread in every scam forum i know about. Here is a short 
list of what they did: 

1) Put him in a taxi to pick up the girl and take her to the 
restaurant, then charged him $80 for what should have 
been a $10 journey 

2) Charged him $60 for a one hour translation, saying that 
they take a minimum charge of 4 hours ($15 an hour)., this 
they told him only after the meeting 

3) After my client had payed (a very steep $50) to meet the 
girl, he got her address and decided to send her some 
flowers (at the local rate of 2 dollars for 1 rose, as apposed 
to 10 dollars a rose at the agency). The agency, upon 
finding out about this, called him up and shouted at him for 
daring to send her roses not through them (!) 
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4) It turned out that the girl hadn't written most of the 
letters the client had shared with her over a period of a 


year, and in fact that the agency themselves had written 
them, earning good money in the proccess! 

5) The agency lied about the upper age limit for a guy the 
girl was willing to meet - they put down 60 when she had 
indicated 40. 

6) There is more!...but i think ive written enough for you to 
get the idea. 

Be aware of this agency! 

In all my time as a guide/translator i have never seen an 
agency that works so 

shambolicaly. Agencies like this ruin the reputation of the 
business, in which there are number of hard working honest 
agencies that suffer as a result. " 

[7]More comments from the same person, presumably 
working there: 

11 Beware of ualadys. I live in Ukraine and know someone 
who works in one of the branches. Word has it that they 
churn out letters factory-style and often write themselves. 
They do not allow their girls to turn down a man who has 
requested to communicate with them, even if they dont 
want to. They did not allow me to go to their office to check 
them out and ask them questions. They scare the girls so 
that they dont get in personal contact with a guy or go to 
another agency. Beware !" 
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[8]Exclusive photo gallery from what appears to be a 
scammed customer - wedding rings are in place. The guy 


was 


[9]initially spammed: 

" On June 23rd of 2008 (that was 5 months after I gave up 
my relationship with my ex girlfriend), I received one email 
from UAIadys which stated it was translated for a lady in 
Ukraine. Her name is Anastasia R. (ID 5008) Her 
introduction letter went as follows" 

Thankfully, he's preserved [10]the achive of the 
correspondence, exposing their practices. 

1. http://ddanchev.blo as pot.com/2QQ7/ll/lonel v- polinas- 
secret.html 

2. http://ddanchev.blo as pot.com/2QQ8/Q4/malware-and- 
exploits-servin a-a irls.html 

3. 

http://a a encvscams.com/Whv/ConfidentialConnections.html 

4. http://photo.ualadvs.com/en a l/ladies_antiscam.html 

5. http://www.ualadvs.com/en a l/welcome mission.html 

6 . 

http://www.russianmeetin a place.com/forums/showthread. ph 
p?threadid = 14715 

7. 

http://www.russianwomendiscussion.com/Forum/index. php? 

to pic=4222 

8 . 

http://www.ualadvscam.com/photo a aller v/ photo a allerv.ht 
m 






























9. http://www.ualadvscam.com/default.htm 

10. http://www.ualadvscam.com/Correspondences/ 
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SMS Ransomware Source Code Now Offered for Sale 
(2009-05-12 13:46) 

Remember the [l]ransomware variant that was locking 
down user's PCs and demanding a premium SMS in order for 

them to receive the unlocking code? 

In an attempt to further monetize the "innovative" practice 
of converging Windows-based malware and premium SMS 
numbers operated by the cybercriminals, a do-it-yourself 
version of the ransomware is currently offered for sale for a 
mere $15. 

Here are some of its features: 

- When executed presents the uset with a Blue Screen of 
Death style error message 

- A simple auto-loading feature ensuring it will load every 
time the host is rebooted, completely disables the startup 
shell in order to become the first application to appear upon 
reboot 

- Disables Windows Task Manager, Registry Editor, default 
shortcuts for terminating a program 

The vendor would also like to remind its customers that "the 
application is for educational purposes only", next to a 
comment on how all of their current customers are fully 







satisfied with the money they're making by locking infected 
user's PCs. This piece of ransomware has been spreading 
across the Russian web space since April, and with its source 
code now offered for sale, it's only a matter of time before 
the error messages get localized to multiple languages 
courtesy of [2]localization on demand cybercrime-friendly 
services breaking any language barrier for a spam/malware 
campaign. 

However, from an operational security (OPSEC) perspective 
which I often emphasize on in order to demon¬ 
strate how efficient cybercrime facilitating tactics increase 
the probability of successfully tracking down the people 
behind a particular attack, this premium SMS based 
ransomware tactic is exposing the people behind the 
campaign much easily due to its reliance on a mobile 
operator, compared to GPCode's virtual money exchange 
approach 

([3]Who's behind the GPcode ransomware?) which given 
they put enought efforts, the process can be virtually 
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untraceable. 

Despite the fact that vendors have already released 
[4]unlock code generators for the SMS ransomware, tak¬ 
ing into consideration the potential for widespread 
ransomware campaigns through the now ubiqitous revenue 

generator in the form of scareware ([5]Scareware meets 
ransomware: "Buy our fake product and we'll decrypt the 
files"), the concept is not going away anytime soon. 



Related posts: 

[6] Mobile Malware Scam iSexPlayer Wants Your Money 

[7] New mobile malware silently transfers account credit 

[8] New Symbian-based mobile worm circulating in the wild 

1. httP://blo a s.zdnet.com/securit v/? p=3197 

2. http://ddanchev.blo as pot.com/20Q8/ll/localizin a- 
c vbercrime-cultural.html 

3. httP://blo a s.zdnet.com/securit v/? p = 1259 

4. http://news.drweb.com/show/7i = 304&c=5 

5 . httP://blo a s.zdnet.com/securit v/? p = 3Q14 

6. http://ddanchev.blo as pot.com/2QQ8/Q7/mobile-malware- 
scam-isexplaver-wants.html 

7 . httP://blo a s.zdnet.com/securit v/? p = 2415 

8. http://blo a s.zdnet.com/securit v/? p = 2617 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty (2009-05-14 20:30) 

Has the cloudy economic climate hit [l]the scareware 
business model, the single most efficient and high-liquidity 
monetization practice that's driving the majority of blackhat 
SEO and malware attacks? The affiliate networks are either 

























experiencing a slow Q2, or are basically experimenting with 
profit optimization strategies. 

Following the "aggressive" piece of [2]scareware with 
elements of ransomware discovered in March, a new version 
of the [3]rogue security software is once again holding an 
[4]infected system's assets hostage until a license is 
purchased. 

This tactic is however a great example of the dynamics of 
underground ecosystem ([5]The Dynamics of the 

Malware Industry - Proprietary Malware Tools; [6]The 
Underground Economy's Supply of Goods; [7]76Service - 

Cybercrime as a Service Going Mainstream; [8]Zeus 
Crimeware as a Service Going Mainstream; [9 ] Wi 11 Code 
Malware for Financial Incentives; [10]The Cost of 
Anonymizing a Cybercriminal's Internet Activities - Part Two; 
[ll]Using Market Forces to Disrupt Botnets; [12]E-crime and 
Socioeconomic Factors; [13]Price Discrimination in the 
Market for Stolen Credit Cards; [14]Are Stolen Credit Card 
Details Getting Cheaper?). 

Despite the fact that it's the network of cybercriminals that 
pays and motivates other cybercriminals to SQL 

inject legitimate sites, send spam, embedd malicious code 
through compromised accounts and launch blackhat 
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SEO campaigns, it cannot exist without the traffic that they 
provide, and is therefore competing with other affiliate 
networks for it. 


For your blacklisting, case-building and cross-checking 
pleasure, currently active blackhat SEO and Koobface 

campaigns monetize the traffic through the following rogue 
domains: 

yourpcshield .com (209.44.126.14) - AS10929 
NETELLIGENT Hosting Services Inc. Email: 

bershkapull@gmail.com virustopshield .com 

totalvirushield .com 
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pcguardscan .com 
topwinsystemscan .com 
basevirusscan .com 
systemvirusscan .com 
bastvirusscan .com 
myfirstsecurityscan .com 
fastviruscleaner .com 
allvirusscannow .com 

freeforscanpc .com (209.44.126.241) - AS10929 
NETELLIGENT Hosting Services Inc. 

truevirusshield .com 

totalvirusshield .com 

hypersecurityshield .com 



scanyourpconline .com 
allowedwebsurfing .com 
xvirusdescan .com 
securitytrustscan .com 
fullsecurityaction .com 
fullvirusprotection .com 
fullsecuritydefender .com 
hupersecuritydot .com 
trustedwebsecurity .com 
greatscansecurity .com 
updateyoursecurity .com 
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antimalware-scannerv2 .com (78.46.88.202) - AS16265 
LeaseWeb AS Amsterdam, 

Netherlands Email: 

basni@le wispr.com 
onlinevirusbusterv2 .com 
xpvirusprotection2009 .com 
total-malwareprotection .com 


total-virusprotection .com 
xpvirusprotection .com 
bestbillingpro .com 
truconv .com 

safeinternettoolvl .com (212.117.165.126; 38.99.170.9; 
69.4.230.204; 78.47.91.153) - AS36351 SOFTLAYER 

Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG 
RZ-Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 

COGENT/PSI Email: info@dmf.com.tr 

antivirusquickscanvl .com 

computerscanvl .com 

antivirusbestscannervl .com 

antiviruslivescanv3 .com 

proantivirusscanv3 .com 

fullantispywarescan .com 

webscannertools .com 

approved-payments .com 
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ms-scan .org (84.19.184.160) - AS31103 KEYWEB-AS 

Keyweb AG, Email: strider.glider@gmail.com 


system-protector .org 
system-protector .net 
av-lookup .com 
ms-scan .info 
srv-scan .us 
ms-scan .net 
ms-scan .biz 
srv-scan .biz 

bitcoreguard .net (72.232.187.197) AS22576 
LAYEREDTECH Layered Technologies, Email: 

cbristedl996@gmail.com bitcoreguard .com 

coreguard2009 .com (78.46.151.181) - AS24940 
HETZNER-AS Hetzner Online AG RZ-Nuernberg Email: ivers- 

bradly72@gmail.com 
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coreguard2009 .biz 
coreguard2009 .net 

coreguardlab2009 .biz (95.211.14.161) - AS16265 
LeaseWeb AS Amsterdam, Netherlands, Email: 

stiv- 

panama@gmail.com 



coreguardlab2009 .net 
coreguardlab2009 .com 
guardlab 
.com 

(72.232.187.198) 

AS22576 

LAYEREDTECH 

Layered 

Technologies 

Email: 

alex- 

vasilievl987@cocainmail.com 
guardav .com 

guardlab2009 .biz (76.76.103.164) - AS21548 MTO 
Telecom Inc. Email: stivpanama@gmail.com 

guardlab2009 .net 

guardlab2009 .com 

Related posts: 

[15]Dissecting a Swine Flu Black SEO Campaign 



[16] Massive Blackhat SEO Campaign Serving Scareware 

[17] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 

[18] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[19] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 

[20] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[21] A Diverse Portfolio of Fake Security Software - Part 
Fifteen 

[22] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[23] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[24] A Diverse Portfolio of Fake Security Software - Part 
Twelve 

[25] A Diverse Portfolio of Fake Security Software - Part 
Eleven 

[26] A Diverse Portfolio of Fake Security Software - Part Ten 

[27] A Diverse Portfolio of Fake Security Software - Part Nine 

[28] A Diverse Portfolio of Fake Security Software - Part Eight 

[29] A Diverse Portfolio of Fake Security Software - Part 

Seven 




[30] A Diverse Portfolio of Fake Security Software - Part Six 

[31] A Diverse Portfolio of Fake Security Software - Part Five 

[32] A Diverse Portfolio of Fake Security Software - Part Four 

[33] A Diverse Portfolio of Fake Security Software - Part Three 

[34] A Diverse Portfolio of Fake Security Software - Part Two 

[35] Diverse Portfolio of Fake Security Software 

1. http://ddanchev.blo as pot.com/2009/Q4/confickers- 
scarewarefake-securitv.html 

2. http://blo a s.zdnet.com/securit v/? p = 3014 

3. 

http://www.avertlabs.com/research/blo a /index. ph p/2009/05/ 

12/fakealert-tro i an-holds-svstems-for-ransom/ 

4. http://blo a .fireeve.com/research/2009/Q3/a-new-method- 
to-monetize-scareware.html 

5. http://ddanchev.blo as pot.com/2Q07/lQ/dvnamics-of- 
malware-industrv.html 

6. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

7. http://ddanchev.blo as pot.com/2008/Q8/76service- 
c vbercrime-as-service- a oin a .html 

8. http://ddanchev.blo as pot.com/20Q8/12/zeus-crimeware- 
as-service- a oin a .html 

9. http://ddanchev.blo as pot.com/2Q08/ll/will-code- 
malware-for-financial.html 











































10. http://ddanchev.blo as pot.com/2009/Q2/cost-of- 
anonvmizin a-c vbercriminals.html 

11. http://ddanchev.blo as pot.com/2008/Q6/usin a -market- 
forces-to-d isrupt-botnets.htm! 

203 

12. http://ddanchev.blo as pot.com/20Q8/01/e-crime-and- 
socioeconomic-factors.html 


13. http://ddanchev.blo as pot.com/2QQ8/Q6/price- 
discrimination-in-market-for.html 


14. http://ddanchev.blo as pot.com/2008/Q7/are-stolen- 
credif-card-detaills- a ettin a .html 

15. http://ddanchev.blo as pot.com/2009/Q5/dissectin a- 
swine-f1u-black-seo-campai a n.html 

16. http://ddanchev.blo as pot.com/2009/04/massive- 
blackhat-seo-campai a n-servin a .html 

17. http://ddanchev.blo as pot.com/20Q9/Q4/diverse- 
portfolio-of-fake-securitv_16.html 

18. http://ddanchev.blo as pot.com/2009/Q4/diverse- 
portfo l ro-of-fake-securitv.html 

19. http://ddanchev.blo as pot.com/2009/Q3/diverse- 
oortfol io-of-fake-secu ritv_31 .html 

20. http://ddanchev.blo as pot.com/2009/Q3/diverse- 
portfolio-of-fake-securitv.html 


21. http://ddanchev.blo as pot.com/2Q09/Q2/diverse- 
portfolio-of-fake-securitv.html 





















































22. http://ddanchev.blo as pot.com/2QQ9/Ql/diverse- 
portfolio-of-fake-securitv.html 

23. http://ddanchev.blo as pot.com/2QQ8/ll/diverse- 
portfolio-of-fake-securitv 12.html 

24. http://ddanchev.blo as pot.com/2QQ8/ll/diverse- 
portfolio-of-fake-securitv.html 

25. http://ddanchev.blo as pot.com/2QQ8/10/diverse- 
portfolio-of-fake-securitv 28.html 

26. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv 22.html 

27. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv 16.html 

28. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv.html 

29. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfoliQ-of-fake-secutitv 30.html 

30. http://ddanchev.blo as pot.com/2008/Q9/diverse- 
portfolio-of-fake-securitv 24.html 

31. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv.html 

32. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv_25.html 

33. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfoUo-of-fake-securitv 20.html 

34. http://ddanchev.blo as pot.com/20Q8/Q8/diverse- 
portfolio-of-fake-securitv.html 























































35. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 

204 


£ 


GazTranzitStroylnfo - a Fake Russian Gas Company 
Facilitating Cybercrime (2009-05-19 23:37) 

" In gaz we trust'? I'd rather change 
GazTranzitStroylnfo's vision to [l]Hangllp Team's 
infamous -" in fraud we trust'. It is somehow weird to what 
lengths would certain cybercriminals go to create a feeling 
of legitimacy of their enterprise. 

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based 
in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one 
of them. Let's "drill" for some malicious activity at 
GazTranzitStroylnfo, and demonstrate how 
cybercriminals are converging different hosting providers to 
increase the lifecycle of their campaigns. 
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The [2]recent peak of fake codecs (for instance video-info 
.info and sex-tapes-celebs .com serving 
[3Jsoftwarefortubeview.40018.exe) puts the spotlight on 
GazTranzitStroylnfo and its connections with another 
rogue hosting provider in the face of AS48841, EUROHOST- 
AS Eurohost LLC, which was providing hosting infrastructure 
to the scareware domains part of [4]Conficker's Scareware 
Monetization strategy, and continues to do so for a great 
deal of exploits/malware serving domains, next to AS10929 
[5]NETELLIGENT Hosting Services Inc. where the 
infrastructure of the three hosting providers has converged. 






Let's detail some malicious activity found at 
GazTranzitStroylnfo. The following are redirectors to live 
exploits/zeus config files/sc a re ware found within AS29371 
and pushed through blackhat SEO and web site 
compromises: 
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peopleopera .cn - 91.212.41.96 
forexsec .cn 
vitamingood .cn 
bookadorable .cn 
drawingstyle .cn 
housedomainname .cn 
workfuse .cn 
schoolh .cn 
rainfinish .cn 
housevisual .cn 
worksean .cn 
liteauction .cn 
newtransfer .cn 
oceandealer .cn 


musicdomainer .cn 


websiteflower .cn 


designroots .cn 
islandtravet .cn 
litefront .cn 
clubmillionswow .cn 
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softwaresupport-group .com - 91.212.41.91 

bestfindahome .cn 

dastrealworld .ru 

elantrasantrope .ru 

borishoffbibi .ru 

sandiiegoexpo .ru 

nightplayauto .ru 

startdontstop .ru 

nicdaheb .cn - 91.212.41.119 

sehmadac .cn 

vavgurac .cn 

tixleloc .cn 

xidsasuc .cn 


cuzlumif .cn 



teyrebuf .cn 
hifgejig .cn 
tukhemaj .cn 
rogkadej .cn 
wuhwasum .cn 
sipcojeq .cn 
tixwagoq .cn 
silzefos .cn 
popyodiw .cn 
cakpapaz .cn 
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Rogue security software: 

addedantivirusonline .com - 91.212.41.114 

addedantivirusstore .com 

addedantiviruslive.com 

addedantiviruspro.com 

countedantiviruspro.com 

myplusantiviruspro.com 

easyaddedantivirus.com 


yourcountedantivirus.com 

bestcountedantivirus.com 

yourplusantivirus.com 

For instance, a sampled domain such as 

housedomainname .cn/in.cgi?6 redirects us to 
securityonlinedirect 

.com/scan.php?affid = 02083 which is [6]serving scareware 
with hosting courtesy of AS10929 Netelligent Hosting 
Services Inc, which in case you remember popped-up in the 
[7]Diverse Portfolio of Fake Security Software - Part Twenty. 

At securityonlineworld .com (209.44.126.22) we also 
have a portfolio of scareware domains: 

thestabilityweb .com 

securityonlineworld .com 

websecuritypolice .com 

wwwsafeexamine .com 

dynamicstabilityexamine .com 

networkstabilityexamine .com 
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safetyscansite .com 
onlinesafetyscansite .com 
securityscansite .com 
stabilityonlineskim .com 



socialsecurityscan .com 
securityexamination .com 
internetsecuritymetrics .com 
onlinebrandsecuritys .com 
securityonlinedirect .com 
scanstabilityinternet .com 
stabilityaudit .com 
websecuritybureau .com 
safewebsecurity .com 
webbrowsersecurity .com 
futureinternetsecurity .com 
superiorinternetsecurity .com 

The [8]fake codec at video-info .info (AS29371 - 

gaztranzitstroyinfo LLC) is in fact downloaded from kir- 
fileplanet 

.com - 91.212.65.54 (AS48841; EUROHOST-NET) where 
more malicious activity is easily detected at: 

downloadmax .org - 91.212.65.19 

hd-codec .com 

shotgol .com 


kauitour .com 



coecount .com 


countbiz .com 
videoaaa .net 
7stepsmedia .net 
ispartof .net 
amoretour .net 
browardcount .net 

trucount3000 .com - 91.212.65.10; 91.212.65.29 

trucount3001 .com 
trucount3002 .com 
antivirus-xppro-2009.com 
onlinescanxppp .com 
onlinescanxpp .com 
onlinescanxp .com 
free-webscaners .com 
In cybercriminals I don't trust. 

Related posts: 

[9] Fake Codec Serving Domains from Digg.corn's Comment 
Spam Attack 
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Security Software 

[12] Massive Blackhat SEO Campaign Serving Scareware 

[13] EstDomains and Intercage VS Cybercrime 

[14] The Template-ization of Malware Serving Sites 
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GazTranzitStroylnfo - a Fake Russian Gas Company 
Facilitating Cybercrime (2009-05-19 23:37) 

" In gaz we trust'? I'd rather change 
GazTranzitStroylnfo's vision to [l]Hangllp Team's 
infamous -" in fraud we trust'. It is somehow weird to what 
lengths would certain cybercriminals go to create a feeling 
of legitimacy of their enterprise. 

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based 
in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one 
of them. Let's "drill" for some malicious activity at 
GazTranzitStroylnfo, and demonstrate how 
cybercriminals are converging different hosting providers to 
increase the lifecycle of their campaigns. 
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The [2]recent peak of fake codecs (for instance video-info 
.info and sex-tapes-celebs .com serving 
[3Jsoftwarefortubeview.40018.exe) puts the spotlight on 
GazTranzitStroylnfo and its connections with another 
rogue hosting provider in the face of AS48841, EUROHOST- 
AS Eurohost LLC, which was providing hosting infrastructure 
to the scareware domains part of [4]Conficker's Scareware 
Monetization strategy, and continues to do so for a great 
deal of exploits/malware serving domains, next to AS10929 
[5]NETELLIGENT Hosting Services Inc. where the 
infrastructure of the three hosting providers has converged. 





Let's detail some malicious activity found at 
GazTranzitStroylnfo. The following are redirectors to live 
exploits/zeus config files/sc a re ware found within AS29371 
and pushed through blackhat SEO and web site 
compromises: 
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peopleopera .cn - 91.212.41.96 
forexsec .cn 
vitamingood .cn 
bookadorable .cn 
drawingstyle .cn 
housedomainname .cn 
workfuse .cn 
schoolh .cn 
rainfinish .cn 
housevisual .cn 
worksean .cn 
liteauction .cn 
newtransfer .cn 
oceandealer .cn 


musicdomainer .cn 


websiteflower .cn 


designroots .cn 
islandtravet .cn 
litefront .cn 
clubmillionswow .cn 
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softwaresupport-group .com - 91.212.41.91 

bestfindahome .cn 

dastrealworld .ru 

elantrasantrope .ru 

borishoffbibi .ru 

sandiiegoexpo .ru 

nightplayauto .ru 

startdontstop .ru 

nicdaheb .cn - 91.212.41.119 

sehmadac .cn 

vavgurac .cn 

tixleloc .cn 

xidsasuc .cn 


cuzlumif .cn 



teyrebuf .cn 
hifgejig .cn 
tukhemaj .cn 
rogkadej .cn 
wuhwasum .cn 
sipcojeq .cn 
tixwagoq .cn 
silzefos .cn 
popyodiw .cn 



cakpapaz .cn 
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^ Antivirus+ 95 % 


OF ALL HOME PCS ARE INFECTED 
WITH SPYWARE. AOWARE 
TROJANS ANO KEYIOGGERS! 



Total download* M1S92 


72 % or oil mywara a not detec tod by the motor Ami vem programs Oitey o 
purposely but* spyware removal tool sue* as Antmrue * can* 

’ Antivirus + features 

• Spyware removal delect* and iwnw»* spyware programs and 
baton horees staked an your PC 

• Homepage Monitor Tool - browser Hi| ackers bciongng to b>e family of 
spyware and adware, are capable ol taking cxantroi over your 
homepage and oShec levorae pages, and eel an unknown weOsrte a* 
your homepage 

• System clean up ■ eliminates the baces of your aystem acflvikes 

• Otec clean-up securely deaboys all the data an your old hard disc 

• QtmranOrw - Tha infected hies that cannot be fued ce deleted are 
moved to a guarankna folder and displayed on the Quarantine pane 
of AnbWus 

• User-frtendty Wizard Mode the Quit* Scan VMzard will hefe> you run 
a scan m Pie basic ocon modes 

• Autorun Tool it you went to know what applications run aulomaacady 
an your eyslem alter Windows boots. 

• Open Porto Tool wtfhouf a protective appkcaSon. your system rs 
defenseless and be c omes hghly vuinerable to Trqen programs 

• Many other features 


Last update Tuesday May 19. 2009 


Total virus records 729674 N 




l^gpjCompuinq. 

te 

^caoaD ’ 

IXMN1AU) 






^ TRUE LIFE STORIES: 


i* Is my PC infected with SpyWare? 


• Sieve J of New York had fee software project 
stolen through a boy an that got into his computer 
through some internet wfe Stove to sail suffering 
from a sarong depression 

• Jason W was bred because he has been vmtjng 
some prohdted viler net sites bom an office 
computer lbs boss opened the weft browser's 
history and saw a* the sees Jason has been 
vistong Jason • sail une mp loyed 


Q Do you receive o large quantity «jf SPAM < unsolicited 
•diwnisememsi? 

Q Your PC Is naming cube maty stow'* 

Q You are pestered by bioee herrtote popup ads ’ 

Q Yq.ii howwpage keeps changing' 1 
Q New Icons appear on your desktop? 

Q Do you oeltoofeani in your browser biat you donT want? 

Q Do you download any muse files bom the infernof* 

Q Do you download and entail free taftesn -cm the mtsmsl? 

Q Do you use any PSP fie exchange eystems (PSP) - for example 


Rogue security software: 

addedantivirusonline .com - 91.212.41.114 
addedantivirusstore .com 


addedantiviruslive.com 

addedantiviruspro.com 


countedantiviruspro.com 






myplusantiviruspro.com 

easyaddedantivirus.com 

yourcountedantivirus.com 

bestcountedantivirus.com 

yourplusantivirus.com 

For instance, a sampled domain such as 

housedomainname .cn/in.cgi?6 redirects us to 
securityonlinedirect 

.com/scan.php?affid=02083 which is [6]serving scareware 
with hosting courtesy of AS10929 Netelligent Hosting 
Services Inc, which in case you remember popped-up in the 
[7]Diverse Portfolio of Fake Security Software - Part Twenty. At 
securityonlineworld .com (209.44.126.22) we also have a 
portfolio of scareware domains: 

thestabilityweb .com 

securityonlineworld .com 

websecuritypolice .com 

wwwsafeexamine .com 

dynamicstabilityexamine .com 

networkstabilityexamine .com 
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safetyscansite .com 
onlinesafetyscansite .com 



securityscansite .com 
stabilityonlineskim .com 
socialsecurityscan .com 
securityexamination .com 
internetsecuritymetrics .com 
onlinebrandsecuritys .com 
securityonlinedirect .com 
scanstabilityinternet .com 
stabilityaudit .com 
websecuritybureau .com 
safewebsecurity .com 
webbrowsersecurity .com 
futureinternetsecurity .com 
superiorinternetsecurity .com 

The [8]fake codec at video-info .info (AS29371 - 

gaztranzitstroyinfo LLC) is in fact downloaded from kir- 
fileplanet 

.com - 91.212.65.54 (AS48841; EUROHOST-NET) where 
more malicious activity is easily detected at: 

downloadmax .org - 91.212.65.19 


hd-codec .com 



shotgol .com 
kauitour .com 
coecount .com 
countbiz .com 
videoaaa .net 
7stepsmedia .net 
ispartof .net 
amoretour .net 
browardcount .net 

trucount3000 .com - 91.212.65.10; 91.212.65.29 

trucount3001 .com 
trucount3002 .com 
antivirus-xppro-2009.com 
onlinescanxppp .com 
onlinescanxpp .com 
onlinescanxp .com 
free-webscaners .com 
In cybercriminals I don't trust. 
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Inside a Money Laundering Group's Spamming 
Operations (2009-05-26 18:41) 

UPDATE: The command and control domain has been taken 
care of courtesy of the brisk response of OC3 Networks Abuse 
Team. 















Next to the efficiency and cost-effectiveness centered 
cybercriminals having anticipated the [l]outsourcing 

(Cybercrime-as-a-Service) model a long time ago, there are 
those self-serving groups of cybercriminals which engage in 
literally each and every aspect of cybercrime - [2]money 
mule recruiters in this very specific case. 
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What do the known money laundering aliases such as Value 
Trans Financial Group, Inc. (valuetrans.biz); Advance 
Finance Group LLC (af-g.net); ABP Capital 
(abpcapital.com); Premium Financial Services (advance- 
financial-products.org); eTop Group Inc. (etop- 
groupli.cc); Liberty Group Inc. (libertygroup.ee); Eagle 
Group Inc. (eaglegroup-main.cn); Star Group Inc. (eagle- 
group.net); DBS Group Inc. (dbs-group.cn); FB &B Group 
Inc. (fbb-groupli.cc); Advance Finance Group LLC (af- 
g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. 
(ibsgroup.ee; ibsgroupli.cn) and FCB Group Inc. (feb- 
group.ee) have in common? 

It's a 31,000 infected hosts botnet which they use 
exclusively for spamming. 
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The money laundering organization describes itself 
as: 

11 The company was set up in 1990 in New York, the USA by 
three enthusiasts who have financial education. The head of 
the company was Karl Schick. At the very beginning of its 


business activity the company provided fairly narrow range 
of services at the investment market. Within 15 years of hard 
work the company has acquired international standing and 
managed to develop into a global financial holding with the 
staff of 3,000 people and headquarters in more than 100 
countries of the world. " 
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Interestingly, on the majority of occasions cybercriminals 
tend to undermine the level of operational security that they 
could have achieved at the first place, and this is one of 
those cases where their misconfigured botnet command and 
control allows other cybercriminals to hijack their botnet, and 
security researchers to shut it down effectively. 

The people behind this money laundering organization are 
either lazy, or ignorant to the point where the bot¬ 
net's command and control interface would be using the very 
same web server that they use for recruitment 

purposes. 

Here are some screenshots of their command and control 
interface used exclusively for spam campaigns: 
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The domain is registered to supp3ortnewest@safe- 
mail.net and the DNS services are courtesy of 

one.goldwonderful9.info; ns.partnergreatest8.net; 
back.partnergreatest8.net; two.goldwonderful9.info 

which are the de-facto DNS servers for a huge number of 
related and separate [3]money laundering brand portfolios 
(the quality of the historical CYBERINT on behalf of Bobbear 
is the main reason why [4]commissioned DDoS attacks were 
hitting the site last year). 

Taking down the group's command and control domain is in 
progress. 

1. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 

2. http://ddanchev.blo as pot.com/2008/10/monev-mules- 
s vndicate-activelv.html 


3. http://www.bobbear.co.uk/ 













4. http://ddanchev.blo as DOt.com/20Q8/ll/ddos-attack- 
aa ainst-bobbearcouk.html 
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Inside a Money Laundering Group's Spamming 
Operations (2009-05-26 18:41) 

UPDATE: The command and control domain has been taken 
care of courtesy of the brisk response of OC3 Networks Abuse 
Team. 

Next to the efficiency and cost-effectiveness centered 
cybercriminals having anticipated the [l]outsourcing 

(Cybercrime-as-a-Service) model a long time ago, there are 
those self-serving groups of cybercriminals which engage in 
literally each and every aspect of cybercrime - [2]money 
mule recruiters in this very specific case. 
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What do the known money laundering aliases such as Value 
Trans Financial Group, Inc. (valuetrans.biz); Advance 
Finance Group LLC (af-g.net); ABP Capital 
(abpcapital.com); Premium Financial Services (advance- 
financial-products.org); eTop Group Inc. (etop- 
groupli.ee); Liberty Group Inc. (libertygroup.ee); Eagle 
Group Inc. (eaglegroup-main.cn); Star Group Inc. (eagle- 
group.net); DBS Group Inc. (dbs-group.cn); FB &B Group 
Inc. (fbb-groupli.cc); Advance Finance Group LLC (af- 
g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. 
(ibsgroup.ee; ibsgroupli.cn) and FCB Group Inc. (feb- 
group.ee) have in common? 





It's a 31,000 infected hosts botnet which they use 
exclusively for spamming. 
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The money laundering organization describes itself 
as: 

" The company was set up in 1990 in New York, the USA by 
three enthusiasts who have financial education. The head of 
the company was Karl Schick. At the very beginning of its 
business activity the company provided fairly narrow range 
of services at the investment market. Within 15 years of hard 
work the company has acquired international standing and 
managed to develop into a global financial holding with the 
staff of 3,000 people and headquarters in more than 100 
countries of the world. " 
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Interestingly, on the majority of occasions cybercriminals 
tend to undermine the level of operational security that they 
could have achieved at the first place, and this is one of 
those cases where their misconfigured botnet command and 
control allows other cybercriminals to hijack their botnet, and 
security researchers to shut it down effectively. 

The people behind this money laundering organization are 
either lazy, or ignorant to the point where the bot¬ 
net's command and control interface would be using the very 
same web server that they use for recruitment 


purposes. 


Here are some screenshots of their command and control 
interface used exclusively for spam campaigns: 
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The domain is registered to supp3ortnewest@safe- 
mail.net and the DNS services are courtesy of 

one.goldwonderful9.info; ns.partnergreatest8.net; 
back.partnergreatest8.net; two.goldwonderful9.info 

which are the de-facto DNS servers for a huge number of 
related and separate [3]money laundering brand portfolios 
(the quality of the historical CYBERINT on behalf of Bobbear 
is the main reason why [4]commissioned DDoS attacks were 
hitting the site last year). 


Taking down the group's command and control domain is in 
progress. 
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3rd SMS Ransomware Variant Offered for Sale (2009- 
05-27 19:50) 

The concept of [l]ransomware is clearly making a comeback. 
During the past two months, scareware met the 

[2]ransomware business model in the face of [3]File Fix 
Professional 2009 and [4]FakeAlert-CO or System Security, 
followed by two separate [5]SMS-based ransomware variants 
[6]Trj/SMSIock.A and a [7]modified version of it. 

The very latest one is once again offered for sale, with a 
social engineering theme attempting to trick the in¬ 
fected user that as of 1st of May Microsoft is launching a new 
anti-pirates initiative, and that unless a $1 SMS is sent in 
order to receive the deactivation code back, their copy of 
Windows will remain locked. 


Key features: 
















Support for Windows 98/Vista 

- Blocks the entire desktop 

- Locks system key combinations attempting to remove it 

- Copied to the system folder (the file is almost impossible to 
find) 

- Can be put in the startup 

- Launches the blocking system before the desktop appears 
upon reboot 

- Blocks all windows including the Task Manager 
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- Upon entering the secret code, the ransomware is removed 
from the system folder and autorun 

The price for a custom-made version with the customer's own 
SMS data is $10, with $5 per new (undetected) 

copy, as well as the complete source code available for $50 
again from the same vendor. 

From a "visual social engineering" perspective, the one that 
make scareware what it is as product - a product which would 
have scaled so fast if it wasn't the distribution channel in the 
form of web site compromises and 

[8]blackhat SEO at the first place - the latest SMS 
ransomware variant lacks any significant key visual features 
which can compete with for instance, the [9]DIY fake 
Windows XP activation trojan and its [10]2.0 version. 



With the emerging [ll]localization on demand services 
offering [12]translations for phishing, spam and mal¬ 
ware campaigns into popular international languages, it 
wouldn't take long before the SMS ransomware starts 

targeting English-speaking users next to the hardcoded 
Russian speaking ones for the time being. 

1. http://ddanchev.blo as pot.com/2008/Q6/whos-behind- 
g pcode-ransomware.html 

2. http://ddanchev.blo as pot.com/2008/Q9/identifvin a- 
a pcode-ransomware-author.html 

3. http://blo a s.zdnet.com/securit v/? p = 3014 

4. 

http://www.avertlabs.com/research/blo a /index. ph p/2009/05/ 

12/fakealert-tro i an-holds-svstems-for-ransom/ 

5. http://ddanchev.blo as pot.com/2009/Q5/sms-ransomware- 
source-code-now-offered.html 

6. http://blo a s.zdnet.com/securit v/? p = 3197 

7. 

http://blo a .fireeve.com/research/2009/04/ransomware onth 
eJoose.html 

8. http://ddanchev.blo as pot.com/2009/Q4/massive-blackhat- 
seo-campai a n-servin a .html 

9. http://ddanchev.blo as pot.com/20Q8/10/fake-windows-x p- 
activation-tro i an-wants.html 


10. http://blo a s.zdnet.com/securit v/? p = 2201 







































11. http://ddanchev.blo as pot.com/2008/Q2/localizin a- 
c vbercrime-cuitural.html 


12. http://ddanchev.blo as pot.com/20Q8/ll/localizin a- 
c vbercrime-cultural.html 
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Dating Spam Campaign Promotes Bogus Dating 
Agency - Part Two (2009-06-02 15:21) 

Your future template-based wife is here, waiting not only for 
you, but also, for the hundreds of thousands of 

spammed gullible future husbands. 

Our "dear friends" at [l]Confidential Connections are at it 
again - spamming out bogus dating profiles, introducing new 
domains and inevitably exposing the phony company's 
connections with managed spam services 

operated by money mules, and sharing DNS servers with 
more cybercrime-facilitating parties. 

As in their previous campaigns, 

they're spamming from LRouen-152-82-6-202.w80- 

13.abo.wanadoo.fr 

[80.13.101.202], and here's the most recent portfolio of 
domains used in the spam campaigns parked at 








62.90.136.207: 
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dating-forin-loved .com - Email: deolserdo@safe-mail.net 

matchwithworld .com - Email: esheodin@safe-mail.net 

love-f-emale .com - Email: 
Io3664570460504@absolutee.com 

i-amsingle .com - Email: i-3685838623704@absolutee.com 

for-you-from-me .com - Email: 
PabloStantonXW@gmail.com 

love-me-long-time .com - Email: 
Io3685839114104@absolutee.com 

destinycombine .com - Email: esheodin@safe-mail.net 

you-isnot-alone .com - Email: SamNilsenson@gmail.com 

find-some-love .com - Email: SamNilsenson@gmail.com 

find-thereal-love .com - Email: deolserdo@safe-mail.net 
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all-hot-love .com - Email: sup3portne3west@safe-mail.net 

find-the-reallove .com - Email: 
fi3653005547304@absolutee.com 


sweet-hearts-dating .com - Email: 
SamNilsenson@gmail.com 

my-great-dating .com - Email: SamNilsenson@gmail.com 

yourmatchwith .com - Email: esheodin@safe-mail.net 

loking-for-aman .com - Email: 
Io3653004406804@absolutee.com 

myloving-heart .com - Email: 
my3685835605504@absolutee.com 

beautiful-prettywoman .com - Email: 
JosiahMillerTP@gmail.com 

buildyour-happylove .net - Email: 
bu3664569267104@absolutee.com 

adorelovewon .com - Email: supportnewest@safe-mail.net 
andiloveyoutoo .com - Email: enorstlO@yahoo.com 
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myloveamour .com - Email: supportnewest@safe-mail.net 

luckyheatrs .com - Email: neujelivsamomdeli@gmail.com 

just-waiting-foryou .com - Email: 
SamNilsenson@gmail.com 

dreams-about-lady .com - Email: 
JosiahMillerTP@gmail.com 

inspiredlove .net - Email: antonkovalchukk@gmail.com 


make-family .net - Email: JosiahMillerTP@gmail.com 

createyourlove .net 
fillinglove .net 
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Let's connect the dots, shall we? Notice some of the 
registrant's emails, namely supportnewest@safe- 
mail.net and sup3portne3west@safe-mail.net. It gets 
even more interesting taking into consideration the fact that 
the [2]money laundering group's botnet command and 
control domain was registered to supp3ortnewest@safe- 
mail.net. 

Moreover, among the unique usernames used exclusively by 
this botnet, was in fact the one used in Confidential 

Connections spam campaigns, confirming their connection. 
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Naturally, Confidential Connections are also rubbing 
shoulders with more cybercrime facilitating domains sharing 
the same DNS infrastructure (nsl.srv .com). 

For instance, superfuturebiz .com/maingovermnfer5 
.com (Trojan-Spy.Win32.Zbot.uyn) where a 
TrojanSpy.Win32.Zbot.uyn is hosted at maingovermnfer5 
.com/anyfldr/demo.exe which once executed attempts to 

download [3]Zeus crimeware from maingovermnfer5 
. com/a nyfldr/cfg. bin. 
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Moreover, carder-shop .com which is an [4]ex-Atrivo 
darling, yourmagicpills .com which is a typical 
pharmaceutical scam, zaikib .in a malware command and 
control, and eefs .info which is a phony "East Europe 
Financial System" and looks like a typical money mule 
recruitment operation. 

1. http://ddanchev.blo as Dot.com/2009/Q5/datin a-s pam- 
campai an- promotes-bo a us.html 

2. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

3. 

http://www.virustotal.com/analisis/b3dd94141526568d434f4 

13b58f99f5c4b3e011026e7da7el7f5f3816126edbc-12438 

67781 

4. 

http://www.spamhaus.or a /archive/evidence/malwarehosts/atr 

ivo.html 
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Summarizing Zero Day's Posts for May (2009-06-02 
15:49) 

The following is a brief summary of all of my posts at ZDNet's 
[l]Zero Day for May. 






















You can also go through previous summaries for [2]ApriI, 
[3]March, [4]February, [5]January, [6]December f 

[7]November, [8]October, [9]September f [10]August and 
[ll]July, as well as subscribe to my [12]personal RSS feed or 
[13]Zero Day's main feed. 

Notable articles include: [14]lnside the botnets that never 
make the news - a [15]gallery; [16]China's 'secure' 

OS Kylin - a threat to U.S offsensive cyber capabilities? and 
[17]The Web's most dangerous keywords to search for. 

01. [18]Cybercriminals promoting malware-friendly search 
engines 

02. [19]New Mac OS X email worm discovered 

03. [20]China's 'secure' OS Kylin - a threat to U.S offsensive 
cyber capabilities? 

04. [21]Spammers harvesting emails from Twitter - in real 
time 

05. [22]56th variant of the Koobface worm detected 

06. [23]Study: password resetting 'security questions' easily 
guessed 

07. [24]D-Link router's CAPTCHA flawed, WPA passphrase 
retrieved 
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08. [25]lnside the botnets that never make the news - a 
gallery 

09. [26]The Web's most dangerous keywords to search for 



1. http://blo a s.zdnet.com/securit v 


2. http://ddanchev.blo as pot.com/2009/Q5/summarizin a -zero- 
davs- POSts-for-aotii.html 

3. http://ddanchev.blo as pot.com/2009/Q3/summarizin a -zero- 
davs- posts-for-march.html 

4. http://ddanchev.blo as pot.com/2009/Q3/summarizin a -zero- 
davs- posts-for.html 

5. http://ddanchev.blo as pot.com/2009/02/summarizin a -zero- 
davs- posts-for- i anuarv.html 

6. http://ddanchev.blo as pot.com/20Q9/01/summarizin a -zero- 
davs- posts-for.html 

7. http://ddanchev.blo as pot.com/20Q8/12/summarizin a -zero- 
davs- posts-for.html 

8. http://ddanchev.blo as pot.com/20Q8/ll/summarizin a -zero- 
davs- posts-for-october.html 

9. http://ddanchev.blo as pot.com/20Q8/10/summarizin a -zero- 
davs- posts-for.html 

10. http://ddanchev.blo as pot.com/2008/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

11. http://ddanchev.blo as pot.com/2008/Q8/summarizin a- 
zero-da vs- posts-for- iul v.html 

12. http://updates.zdnet.com/ta a s/dancho-l-danchev.html? 
t=0&s=0&o=l&mode=rss 


13. http://feeds.feedburner.com/zdnet/securit v 

14. http://blo a s.zdnet.com/securit v/? p=3432 

























































15. http://content.zdnet.com/2346-12691 22-303596.html 


16. http://blo a s.zdnet.com/securit v/? o=3385 

17. http://blo a s.zdnet.com/securit v/? o=3457 

18. http://blo a s.zdnet.com/securit v/? o=3333 

19. http://blo a s.zdnet.com/securit v/? o=3346 

20. http://blo a s.zdnet.com/securit v/? o=3385 

21. http://blo a s.zdnet.com/securit v/? o=3402 

22. http://blo a s.zdnet.com/securit v/? o=3414 

23. http://blo a s.zdnet.com/securit v/? o=3419 

24. http://blo a s.zdnet.com/securit v/? p=3427 

25. http://blo a s.zdnet.com/securit v/? o=3432 

26. http://blo a s.zdnet.com/securit v/? o=3457 
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From Ukrainian Blackhat SEO Gang With Love (2009- 
06-04 16:45) 

UPDATE: My name is now an integral part of the 
[l]scareware business model. 

Yet another redirector used in the ongoing blackhat SEO 
campaign is using it, this time saying just "hi" - hidan- 
cho.mine .nu/login.js redirects to privateaolemail 




































.cn/go.php?id=2010-10 &key=b8c7c33ca &p=l and 
then to antimalwareliveproscanv3 .com where [2]the 
scareware is served - catch up with the [3]Diverse Portfolio of 
Fake Security Software series. 

What's next? 

The release of Advanced Pro-Danchev Premium Live Mega 
Professional Anti-Spyware Online 

Cleaning Scanner 2010? 

You know you have a fan club, as well as positive ROI out of 
your research, when one of the [4]most active 

blackhat SEO groups for the time being starts cursing you in 
its [5]multiple redirectors, in this particular case that's 

seo.hostia .ru/ddanchev-sock-my-dick.php. 

Back in 2007, it used to be the polite form of get lost or M [6]ai 
siktir vee" courtesy of the [7]New Media Malware Gang, a 
customer of the [8]Russian Business Network. 

Upon hijacking legitimate traffic and verifying that the visitor 
is coming from var se = new 

Array ("google.", "msn.", "yahoo.", "comcast.", "aol ", the 
redirector then takes us to macrosoftwarego .com; 
livepayment-system .com - 83.133.123.140 Email: 
fabian@ingenovate.com, and to antimalware-live-scanv3 
.com - 


38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52; 
91.212.65.125 Email: immigration.beijing@footer.cn where 
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[9] the scareware is served. 

[10] Scareware domains (delegated) part of their campaigns 
which as of recently diversity to Lycos owned [ll]is-the- 
boss.com: 

anti-spyware-scan-vl .com - nsl.futureselfdeeds .com 

(78.47.88.217) 

malware-live-pro-scanvl .com 
premiumlivescanvl .com 
malwareliveproscanvl .com 
antiviruspcscannervl .com 
malwareliveproscannervl .com 
freeantispywarescan2 .com 
antiviruspremiumscanv2 .com 
proantivirusscanv2 .com 
antiviruspaymentsystem .com 
macrosoftwarego .com 
advanedmalwarescanner .com 
advanedpromalwarescanner .com 
futureselfdeeds .com 
allinternetfreebies .com 
liveinternetupdates .com 



momentstohaveyou .cn 
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Rephrasing [12]the Cardigans Love Fool song - Common 
sense tells me I shouldn't bother, and I ought to stick to 
another blackhat SEO campaign, a blackhat SEO campaign 
that surely deserves me, but I think you folks do. 

Thanks to [13]Sean-Paul Correll from PandaLabs for the tip. 

1. http://ddanchev.blo as pot.com/2009/Q4/confickers- 
scarewarefake-securitv.html 

2 . 

http://www.vi rustotal.com/analisis/2e843ef82333acd9c00f2 2 

61b7d86e9b50c51e8ac96f8edd45d4bb26730849f2-12441 
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3. http://ddanchev.blo as pot.com/2009/Q5/diverse-portfolio- 
of-fake-securiitv.html 

4. http://ddanchev.blo as pot.com/2009/04/massive-blackhat- 
seo-campai a n-servin a .html 

5. http://ddanchev.blo as pot.com/2009/04/twitter-worm- 
mike v v-kevwords-h li acked.html 

6. http://ddanchev.blo as pot.com/20Q7/10/possibilitv-medias- 
malware-fiasco.html 

7. http://ddanchev.blo as pot.com/2008/Q3/new-media- 
malware- a an a- part-four.html 


8 . 

http://ddanchev.blo as pot.com/2009/Q5/ a aztranzitstrovinfo- 






































fake-russian- a as.html 

9. 

http://www.virustotal.com/analisis/91a295eda0c2ed9517d03 

el7bl84f6688d6cef3flbea2d021370d47f42d97414-12441 

16737 


10. http://ddanchev.blo as pot.com/2009/05/diverse-portfolio- 
of-fake-securitv.html 

11. http:// a oo a le.com/safebrowsin a /dia a nostic?site=is-the- 
boss.com/ 

12. http://www.imeem.com/onzeonze/music/vMHfC-nL/the- 
cardi a ans-lovefool/ 

13. http://pandalabs.pandasecuritv.com/ 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty One (2009-06-05 16:37) 

The ongoing abuse of AS10929; NETELLIGENT Hosting 
Services Inc. forscareware distribution purposes is peaking 

once again, which combined with the well-proven traffic 
acquisition tactics the campaigners take advantage of, 

prompts me to proactively undermine the effectiveness of 
the campaigns by ruining the monetization factor. 

Next to listing the scareware domains currently in circulation, 
in part twenty one of the [l]Diverse Portfolio of Fake Security 






















Software series, it's time we put the spotlight on the so called 
payment processors mainted by phony in-house operations. 
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The following [2]scareware domains are [3]parked 
exclusively within AS10929; NETELLIGENT Hosting Services 
Inc's network, 209.44.126.102 in particular: 

fanscan4 .com 209.44.126.102 Email: 
brmargul@gmail.com 

ray sea n4 .com Email: brmargul@gmail.com 
scantop4 .com Email: ansouthe@gmail.com 
scanlist6 .com Email: metamant@gmail.com 
goscanfine .com Email: chirelqas@gmail.com 
goscanone .com Email: canrcnad@gmail.com 
scan4note .com Email: ansouthe@gmail.com 
in4ck .com Email: taboussybr@gmail.com 
goscanwork .com Email: govemati@gmail.com 
in4tk .com Email: skeltonrw@gmail.com 
goscanatom .com Email: gleyersth@gmail.com 
top4scan .com Email: ansouthe@gmail.com 
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slot6scan .com Email: metamant@gmail.com 


gometascan .com Email: ricboin@gmail.com 
gopagescan .com Email: tanehen@gmail.com 
gofinescan .com Email: alcnafuch@gmail.com 
goelitescan .com Email: funully@gmail.com 
gorankscan .com Email: canrcnad@gmail.com 
goworkscan .com Email: govemati@gmail.com 
gogoalscan .com Email: chinrfi@gmail.com 
gogenscan .com Email: tanehen@gmail.com 
goautoscan .com Email: tanehen@gmail.com 
goflexscan .com Email: alcnafuch@gmail.com 
goscanauto .com Email: canrcnad@gmail.com 
scan6slot .com Emaik: telerdomb@gmail.com 
in4st .com Email: skeltonrw@gmail.com 
scan6list .com Email: telerdomb@gmail.com 
goscanflex .com Email: chirelqas@gmail.com 
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goscankey .com Email: ricboin@gmail.com 
scanmeta4 .info Email: sitintu@gmail.com 
scannote4 .info Email: sitintu@gmail.com 


metascan4 .info Email: finewnrk@gmail.com 
zonescan4 .info Email: mexnacc@gmail.com 
notescan4 .info Email: finewnrk@gmail.com 
miniscan4 .info Email: finewnrk@gmail.com 
rankscan4 .info Email: mexnacc@gmail.com 
atomscan4 .info Email: finewnrk@gmail.com 
fanscan4 .info Email: finewnrk@gmail.com 
genscan4 .info Email: finewnrk@gmail.com 
autoscan4 .info Email: sitintu@gmail.com 
topscan4 .info Email: finewnrk@gmail.com 
starscan4 .info Email: finewnrk@gmail.com 
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fixscan4 .info Email: sitintu@gmail.com 
mixscan4 .info Email: finewnrk@gmail.com 
Iuxscan4 .info Email: finewnrk@gmail.com 
rayscan4 .info Email: finewnrk@gmail.com 
keyscan4 .info Email: sitintu@gmail.com 
scangen4 .info Email: sitintu@gmail.com 
scanauto4 .info Email: mexnacc@gmail.com 


scantop4 .info Email: finewnrk@gmail.com 
scanflex4 .info Email: mexnacc@gmail.com 
scan4meta .info Email: finewnrk@gmail.com 
scan6meta .info Email: donboset@gmail.com 
scan4fine .info Email: mexnacc@gmail.com 
meta4scan .info Email: finewnrk@gmail.com 
note4scan .info Email: finewnrk@gmail.com 
gen4scan .info Email: finewnrk@gmail.com 
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flex4scan .info Email: mexnacc@gmail.com 
fix4scan .info Email: sitintu@gmail.com 
key4scan .info Email: mexnacc@gmail.com 
meta6scan .info Email: donboset@gmail.com 
note6scan .info Email: donboset@gmail.com 
scan4gen .info Email: finewnrk@gmail.com 
scan6gen .info Email: donboset@gmail.com 
scan4auto .info Email: sitintu@gmail.com 
scan4top .info Email: finewnrk@gmail.com 
scan4fix .info Email: sitintu@gmail.com 
scan4key .info Email: sitintu@gmail.com 



fine4scan .info Email: beelriel@gmail.com 

scanmega4 .info Email: bnntnkmn@gmail.com 

zonescan4 .info Email: mexnacc@gmail.com 

rankscan4 .info Email: mexnacc@gmail.com 

scanauto4 .info Email: mexnacc@gmail.com 

scan4fine .info Email: mexnacc@gmail.com 

way4scan .info Email: bnntnkmn@gmail.com 

key4scan .info Email: mexnacc@gmail.com 

scan4fan .info Email: myscarbe@gmail.com 

Exceptions out of AS10929; NETELLIGENT Hosting Services 
Inc.: 

ia-pro .com - 194.165.4.41; 200.63.45.224; 
209.44.126.104; 200.63.45.224 Email: 
abuse@domaincp.net.cn 

generalantivirus .com Email: compalso@gmail.com 

genpayment .com Email: seeingrud@gmail.com 

livestopbadware .com Email: producergrom@gmail.com 

av-payment .com Email: abuse@domaincp.net.cn 

antimalware-live-scanv3 .com - 38.99.170.9; 
78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; 
Email: immigration.beijing@footer.cn 

antivirus-scanner-vl .com Email: tareen@yahoo.com 



proantivirusscannerv2 .com Email: ecindia@hotmail.com 
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Who's processing the payments made by the scammed 
customers? These are the major payment processors of scare- 

ware software that have been changing aliases for a while 
now, with Pandora Software being the most persistent one: 
easybillhere .com - 200.63.45.221; Email: 
myerysin@gmail.com 

secure.softwaresecuredbilling .com - 209.8.45.122; 
Viktor Temchenko Email: TemchenkoViktor@googlemail.com 
secure.propayments .org - 78.46.152.8; Oleg Bajenov 
Email: oleg.bajenov@gmail.com 

secure.soft-transaction .com - 77.91.228.155; 

Riabokon, Igor; 

rw6rr69n7z2@networksolutionsprivateregis- 

tration.com 

secure-plus-payments .com - 209.8.25.204; John Sparck; 
Email: sparckOOO@mail.com 

secure.pnm-software 

.com 


209.8.45.124; 


Live 


Internet 


Marketing 

Limited; 

pnm- 

software.com@liveinternetmarketingltd.com 

secure.thepaymentonline .com Email: Sergey Ryabov 
director@climbing-games.com 
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What is Pandoware Software, and who's behind Pandora 
Software (pandora-software .com; pandora-software 
.info; pandoraxxl .com - 209.8.45.121; Live Internet 
Marketing Limited; Email: 
pandoraxxl.com@livei nternetmarketing ltd.- 

com)? 

The payment processor describes itself as : 

" PandoraXXL is a company which provides the best adult 
entertainment online and is the managing company of the 
adult websites of the group. The concept itself is the careful! 
creation of websites which are different from the average 
vanilla adult production. We create them, we run them and 
we provide customer care to our customers!if You are a 
customer and would like to know more about our websites 
please dick on Our Websites above. PandoraXXL.com and all 
sites which listed on PandoraXXL.com owned by Oleg 
Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany" 


Upon "doing business" with them they include their very 
latest domain within the the credit card statement: 

" Your credit card statement may show any of the following 
names: WWW.PANDORAXXL.COM If so , than You 

have made a purchase on one of our websites! This form on 
the right will help You to locate these transactions! 

Absolutely sure You have never ever purchased anything 
with us? Contact us immediately then! Due to our knowledge 
we are one of a VERY few adult paysites companies out there 
providing IN HO USE live support along with telephone 
support. Please call only when You are sure that this site was 
not ab to help You with Your transactions. You may call with 
technical questions as well but You must read all our site's 
FAQs first. " 

Going through the terms of service for several scareware 
domains, there's a contact support image saying 

" Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why 
an image and not a text? Cybercriminals sometimes ensure 
that sensitive info potentially undermining their OPSEC 
doesn't get crawled by public search engines. It's gets even 
more interesting as Oleg Dvorezky, whose activities as 
payment processor for scareware go beyond the 

support desk has also included his address - Varzinerstr. 127. 
44369 Dortmund, Germany and another phone, again as an 
image +1(636)549-8103, followed by two more numbers 
+ 18669997851 (USA) +33179972633 (France) listed 

as contact details. 
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Moreover, despite the fact that they've active affiliates 
distribution scareware and earning money in the process, 
next to managing the processing of payments, one should 
not exclude the possibility that they may also be engaging in 
customer relationship management for other scareware 
affiliate partners. For instance, the following support emails 
are all managed by them : 

support@supportdeska.com 

support@msantispyware2009.com 

support@pandora-software.com 

support@pandoraxl.com 

support@data-saver.org 

support@generalantivirus.com 

Fo the time being, scareware remains the single most 
efficient, managed and high liquidity asset used for 

monetization cybercrime campaigns. 

1. http://ddanchev.blo as pot.com/2009/05/diverse-Dortfolio- 
of-fake-securiltv.html 

2 . 

http://www.virustotal.com/analisis/dbffd55928cle8c0441a64 

ebc2cl0785050bb90ce08ae053d2dacb9fa36d9849-12442 

05554 


3 . 










http://www.vi rustotal.com/analisis/ecde2dl2aafb370b8dea9 

2ba97476d8a032b5bb51ac4aa90cf997af88ble4cc8-12442 


05676 
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Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot (2009-06-08 
09:37) 

Just like [lJGazTranzitStroylnfo's case, what we've got here is 
failure to understand that the efforts put into building 
legitimacy of front-ends to cybercrime, is prone to get 
undermined upon closer examination of the particular web 
hosting provider. 

Who, and what is Life4you .info - Free Hosting for Live 
(dirsite .com; 65.98.15.80; Dennis Linkor Email: 
admin@dirsite.com)? 

" We are pleased to announce the launch of dirsite.com, the 
best ASP.NET host on the web. We currently offer one 267 




plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! 
Unfortunately we have hit our quota for ad free accounts. 

Every new signup is now required to display a 460x60 
banner ad on their content pages. We will be running 
another ad free promotion soon, so be sure to check back! 
We are currently experiencing some technical issues that are 
out of our control. We are suffering some server problems 
and as a result, slight delays in processing signups. We are 





working on it, and will have everything resolved as soon as 
possible. Thank you for your patience. " 

What's so special about them? Well, for starters, they've got 
no customers but the cybercriminals themselves 

maintaining a portfolio of over 7,000 adult related keywords 
which they have been using for blackhat SEO campaigns 
across thousands of automatically registered - [2]CAPTCHA 
recognition outsourced - Blogspot accounts since 

February, 2009. 

With the Blogspot campaign still ongoing, let's assess it and 
expose all the participating scareware domains. 

Upon automatic generation of the Blogspot accounts, links 
like the following are included next to the bogus content, all 
using dirsite.corn's pseudo-legitimate hosting services: 
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goto.dirsite .com/go.php?sid = 2 &tds- 
key=erotic+bikini +babes 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=sexe+amateur+on +my+space 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=aunt+judy+older+women 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=view+private+profiles+on + myspace 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=fullmetal+alchemist+porn 


goto.dirsite .com/go.php?sid = 2 &tds- 
key=Asian+style + bed+throws 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=cheerleader+candid+pictures 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=desisexstories 

goto.dirsite .com/go.php?sid = 2 &tds- 
key= Hey+Arnold + porno 

goto.dirsite .com/go.php?sid = 2 &tds- 
key=warcraft+henrai 

Upon clicking the users are redirected to tdncgo2009 
.com/?uid=68 &pid=3 (trdatasft .com; fra22 .net; 

Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, 
where the scareware domains are randomly loaded: 

virusdoctor-onlinedefender .com - 64.213.140.69 Email 
sebarinvert.ivus@gmail.com 

onlinescan-ultraantivirus2009 .com - 206.53.61.76 

virussweeper-scan .net - 206.53.61.76 
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virusalarm-scanvirus .net - 206.53.61.76 

viruscatcher .net - 64.213.140.71 Email: 
jeannemcpeters@gmail.com 

fast-antivirus .com - 64.213.140.68 


The [3]scareware attempts to [4]phone back to 

updatel.virusshieldpro .com/ReleaseXP.exe - 

206.53.61.75 - 

Email: unitedisystems@gmail.com and to updvmfnow .cn - 
64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then 
phones back to the following locations, naturally earning 
profit for the cybecriminal - 

pay-virusshield .cn - 64.213.140.70; Email: 
unitedisystems@gmail.com; Returning the following 
message: 11 Sorry, the operation is currently unavailable, 
please email our support team from product's site (Error 
Code #150)" 

updvmfnow .cn - 64.86.17.9 

updvmfnow .cn/reports/install-report.php (64.86.17.9) 
updvmfnow .cn/reports/soft-report.php 
updvmfnow .cn/reports/minstalls.php 
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The phone back location is also hosting more active 
scarewaredomains: 

ultraantivirus2009 .com - 64.86.17.9 
virusalarmpro .com 
vmfastscanner .com 
mysuperviser .com 
pay-virusdoctor .com 


virusmelt .com 


payvirusmelt .com 

Not only is life4info .info or dirsite .com a bogus free 
hosting provider, but the campaigns hosted by them are 
interacting with our "dear friends" at [5]AS30407; VELCOM 
.com which Spamhaus describes as " N. American base of 
Ukrainian cybercrime spammers" - and with a reason. 

1 . 

http://ddanchev.blo as pot.com/2009/05/ a aztranzitstrovinfo- 

fake-russian- a as.html 

2. http://blo a s.zdnet.com/securit v/? p = 1835 

3. 

http://www.virustotal.com/analisis/96ef88149ff92023f6dc83 

93c547ed3ad5f2938a3018cQ8a7105c63677ea6391-12444 

12339 
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4. 

http://www.virustotal.com/analisis/b56d88ef2aea4c0df0be48 

a41821beccl5b6e2ba9ca7b763726ac67973ce4d5f-12440 

68810 

5. http://www. a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:3Q407 

272 


£ 






















GazTransitStroy/GazTranZitStroy 

Rubbing 

Shoulders 

with 

Petersburg 

Internet 

Network 

LLC 

(2009-06-08 14:28) 

Following the [l]GazTransitStroy/GazTranZitStroy 
(gaztranzitstroyinfo.ru; 67.15.253.241) coverage, [2]the 
gang behind the bogus gas company drilling for [3]insecure 
PCs across the Web has returned to its roots - St. Petersburg, 
Russia, with routing services courtesy of PIN-AS Petersburg 
Internet Network LLC (AS44050) (internet-spb.ru) : 

11 descr: Petersburg Internet Network LLC 

address: Sedova 80 

address: St.-Petersburg, Russia 

e-mail: support@internet-spb. ru 

phone: +7 812 4483863 

fax-no: +7 812 4483863 

person: Metluk Nikolay Valeryevich 



address: korp. la 40 51avy ave., 
address: St.-Petersburg, Russia 
e-mail: nm@internet-spb.ru 
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phone: +7 812 4483863 
fax-no: +7 812 2683113 
PIN LLC 
Sedova 80 
+ 7 812 4483863 
support@in ternet-spb. ru 
Metluk Nikolay Valeryevich 
korp. la 40 Si a vy ave., 

St.-Petersburg, Russia 
+ 7 812 4483863 
nm@internet-spb.ru 
Ladoha Anton Vladimirovich 
korp. la 40 Si a vy ave., 

St. Petersburg, Russia 


+ 7 812 4483863 


admin@internet-spb. ru 
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Strukov Evgeny Olegovich 
korp. la 40 51avy ave., 

St.-Petersburg, Russia 
+ 7 812 4483863 
admin2@internet-spb. ru 
e. struko v@pinspb. ru 

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 
194.11.20.0/23; 195.2.240.0/23" 

What's also worth pointing out that is a huge number of of 
domains operated by GazTransitStroy's customers, and, of 
course, GazTranzitStroy themselves not only traceroute back 
to Petersburg Internet Network LLC's network, but also, 
there's an evident migration to the legitimate NETDIRECT- 
NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well 
as to CHINANET-SH CHINANET shanghai province 
network - 222.64.0.0 - 222.73.255.255. 
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Combined with the fact that EUROHOST-NET/Eurohost 
LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - 
AS48841 


remain an inseparable part of GazTransitStroy's info, clearly 
indicates the presence of a well known cybercrime 
powerhouse - the RBN itself. 

The following domains (crimeware, live exploits, scareware, 
you name it they engage in it) maintained by Gaz- 

TranzitStroy have migrated as follows. From 91.212.41.96 
to CHINANET-SH CHINANET shanghai province network - 

222.64.0.0 - 222.73.255.255: 

loshadinet .com 
roselambda .cn 
use-sena .cn 
peopleopera .cn 
forexsec .cn 
symphonygold .cn 
dreamlitediamond .cn 
vilihood .cn 
bookadorable .cn 
drawingstyle .cn 
housedomainname .cn 
roomsme .cn 
vilasse .cn 


workfuse .cn 



stakeshouse .cn 


financeimprove .cn 
lifenaming .cn 
travetbeach .cn 
schoolh .cn 
rainfinish .cn 
housevisual .cn 
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kvk.housevisual .cn 
xfln.housevisual .cn 
worksean .cn 
blogtransaction .cn 
liteauction .cn 
seamodern .cn 
smilecasino .cn 
newtransfer .cn 
oceandealer .cn 
pub.oceandealer .cn 
musicdomainer .cn 
wowregister .cn 



websiteflower .cn 


travets .cn 
designroots .cn 
teamwows .cn 
startgetaways .cn 
moulitehat .cn 
caxf.moulitehat .cn 
islandtravet .cn 
weekendtravet .cn 
resorttravet .cn 
litefront .cn 
palaceyou .cn 
youbonusnew .cn 
clubmillionswow .cn 
rainjukebox .cn 
xuyxuyxuy .cn 
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From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 
89.149.207.255 - AS28753, interestingly, the DNS servers for 
the following domains 


nsl.pubilcnameserver7.com/nsl.pubilcnameserver7.c 

om are diversifying at 89.149.207.56 

and 91.212.41.114: 

freeantivirusplus09 .com 
realantivirusplus09 .com 
getantivirusplus09 .com 
smartantivirusplus09 .com 
addedantivirusonline .com 
addedantivirusstore .com 
addedantiviruslive .com 
addedantiviruspro .com 
countedantiviruspro .com 
plusantiviruspro .com 
myplusantiviruspro .com 
addedantivirus .com 
youraddedantivirus .com 
bestaddedantivirus .com 
easyaddedantivirus .com 
yourcountedantivirus .com 
bestcountedantivirus .com 
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yourplusantivirus .com 
easyplusantivirus .com 
yourguardonline .cn 
easydefenseonline .cn 
bestprotectiononline .cn 
freecoveronline .cn 
atioqe .cn 
yourguardstore .cn 
mycheckdiseasestore .cn 
examinepoisonstore .cn 
freecoverstore .cn 
myexaminevirusstore .cn 
bestexaminedisease .cn 
yourfriskdisease .cn 
easyfriskdisease .cn 
friskdiseaselive .cn 
bestdefenselive .cn 
bigprotectionlive .cn 
bigcoverlive .cn 



examineillnesslive .cn 
exodih .cn 
suxpymi .cn 
aciazi .cn 

yourfriskinfection .cn 
easyserviceprotection .cn 
easyincomeprotection .cn 
easypersonalprotection .cn 
easybestprotection .cn 
myascertainpoison .cn 
yourguardpro .cn 
refugepro .cn 
mycheckdiseasepro .cn 
ascertaindiseasepro .cn 
yourcheckpoisonpro .cn 
easycheckpoisonpro .cn 
yourfriskviruspro .cn 
myascertainviruspro .cn 
fegbywo .cn 
feptuaq .cn 



myexamineillness .cn 
exousyt .cn 
newguard2u .cn 
freedefense2u .cn 
bigdefense2u .cn 
bestcover2u .cn 
newguard4u .cn 
mydefense4u .cn 
bestcover4u .cn 
newguard4you .cn 
mydefense4you .cn 
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bestcover4you .cn 
yourguardforyou .cn 
newguardforyou .cn 
myguardforyou .cn 
freedefenseforyou .cn 
mydefenseforyou .cn 
bestcoverforyou .cn 


The ongoing affiliation with EUROHOST-NET/Eurohost LLC 
(eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, 
and the migration of domains (scareware, live exploits, 
crimeware etc.) as follows. From 91.212.41.119 to 
91.212.65.7 

EUROHOST-NET/Eurohost LLC: 

nicdaheb .cn 
sehmadac .cn 
ralcofic .cn 
bikpakoc .cn 
xidsasuc .cn 
koqsuyod .cn 
tozxiqud .cn 
bowselaf .cn 
cuzlumif .cn 
porgacig .cn 
hifgejig .cn 
rogkadej .cn 
sipcojeq .cn 
silzefos .cn 
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popyodiw .cn 
hayboxiw .cn 
peskufex .cn 
ridmoyey .cn 
cakpapaz .cn 

What kind of an ISP be maintaining a permanent Under 
Construction page and engage in Zeus and live exploit 
serving activities on the same IP as its web server? 

[4] EUROHOST-NET/Eurohost LLC is one of them: 

11 person: Mikhail Ignatyev 
address: off. 1, 81 Frunze str., 
phone: +38 093 079 00 32 
address: Evpatoria, Crimea, Ukraine 
e-mail: ipadmin@eurohost.biz. ua" 

At eurohost.biz.ua (91.212.65.5) we also have parked 

[5] 123-service.ru, serving a [6]deja-vu account suspended 
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message - 11 This account has been suspended. Either the 
domain has been overused, or the reseller ran out of 
resources. " as well as [7]ramshanabc.ru, with another 
account suspended message despite its previous 
involvement in Zeus crimeware campaigns in January, 2009 
(ramshanabc .ru/ferrari/main.bin; ramshanabc 
.ru/ferrari/main.bin). 



Besides these domains, several others, again registered to 

kirilboltovnet@yandex.ru are known to have been 
maintaining running Zeus crimeware campaigns as well: 

grafjasqq .ru/kiew/kiew.cfg 

heliskamm .ru/kiew5.cfg 

mamaloki .ru/dir2.cfg489 

mamaloki .ru/kiew3.cfg 

nionalku .ru/dir5.cfg 

nionalku .ru/kiew6.cfg 

Still not convinced in how malicious their intentions really 
are? The phone number ( + 7 928 7867612) used in 

the registrations of these domains was most recently used in 
a [8]spammed Zeus crimeware campaign impersonating 
Western Union. 

1. 

http://ddanchev.blo as pot.com/2009/05/ a aztranzitstrovinfo- 

fake-russian- a as.html 

2. http:// a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:29371&hl=en 

3. http://twitter.com/arbornetworks/status/1873576720 

4. http://blo a .fireeve.com/research/2009/Q3/bad-actors-part- 
6-eurohost-llc.html 

5. http:// a oo a le.com/safebrowsin a /dia a nostic?sife=123- 
service.ru 






















6. http://ddanchev.blo as pot.com/20Q8/01/rbns-fake-account- 
suspended-notices.html 


7. https://zeustracker.abuse.ch/monitor. php? 
host=ramshanabc.ru 


8. http://www.dslreports.com/forum/r22374680-Spam- 
Western-Union-Transfer-MTCN-1848485 5 71-ZIP-FILE-VIRUS 

282 


E 


E 


From Ukrainian Blackhat SEO Gang With Love - Part 
Two (2009-06-09 23:03) 

It seems that the portfolio of [l]redirectors using my name 
part of an ongoing [2]Ukrainian blackhat SEO is expanding, 
with seximalinki .ru/images/ddanchev-sock-my- 
dick.php, as the latest addition. This brings up the number 
of redirectors to three, at least for the time being: 

• seximalinki.ru/images/ddanchev-sock-my-dick.php - 

active - 74.54.176.50; Email: Hippacmc@land.ru 

• seo.hostia .ru/ddanchev-sock-my-dick.php - active - 
213.155.2.37 

• HiDancho.mine .nu/login.js - active - 64.21.86.16 

Let's dissect the latest campaigns, including several related 
ones not necessarily serving scareware, moreover, let's also 
establish a connection between this gang and the [3]ongoing 
hijacking of Twitter trending topics for malware serving 
purposes, shall we? 












The redirector takes the user to 

antimalwareonlinescannerv3 .com - 83.133.115.9; 
91.212.65.125; 69.4.230.204 - 

Email: immigration.beijing@footer.cn where [4]the scareware 
is served. 

The campaign is also relying on three more scareware 
domains antimalware-live-scanv3 .com; 
antimalwareliveproscanv3 .com ; 
fastsecurityupdateserver .com, with 
nsl.futureselfdeeds .com ensuring that the rest of the 
portfolio remains in tact: 
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premiumlivescanvl .com 
advanedmalwarescanner .com 
advanedpromalwarescanner .com 
antiviruspcscannervl .com 
antiviruspremiumscanv2 .com 
malware-live-pro-scanvl .com 
malwareliveproscanvl .com 
malwareliveproscannervl .com 
malwareinternetscannervl .com 
anti-spyware-scan-vl .com 
antimalwarescanner-v2 .com 


freeantispywarescan2 .com 
antivirus-scanner-vl .com 
internetotherwise .com 
macrosoftwarego .com 
world-payment-system .com 
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paymentonlinesystem .com 
livewwwupdates .com 
liveinternetupdates .com 
livesecurityupdate .com 
securitysoftwarepayments .com 
antiviruspaymentsystem .com 
systemsecurityupdates .com 
networksecurityadvice .com 
systeminternetupdates .com 
protectionsystemupdates .com 
updateinternetserver2 .com 
protectionupdates2 .com 
proantivirusscannerv2 .com 


proantivirusscanv2 .com 
powerantivirusscanv2 .com 
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These blackhat SEO-ers have been actively multitasking 
during the past couple of months. For instance, another 

campaign maintained by them at Lycos Tripod's is-the- 
boss.com is using the redirector ntlligent .info/tds/in.cgi? 
11 

&seoref= &parameter= $keyword &se= $se &ur=l 

&HTTP _REFERER= (72.232.163.171), hosted by Layered 
Technologies, Inc., in order to serve a a [5]Koobface sample 
located at 91.212.65.35/view/l/1416/0, which upon 

execution phones back to uprl5may .com/achcheck.php; 
uprl5may .com/ld/gen.php (119.110.107.137) as well as to 
i-site .ph/l/6244.exe; i-site .ph/l/nfr.exe with the second 
binary phoning back to 85.13.236 .154/v50/?v=71 &s=l 

&u id = 1824245000 &p=14160 &ip= &q = . 
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Another campaign maintained by them at is-the-boss.com is 
using three redirectors kurinah.freehostia .com/in. egi?8 

&seoref= &parameter= $keyword &se= &ur=l &HTTP 
_REFERER=; promodomain .info/in. egi?8 &seoref= 
&parameter= $keyword &se= &ur=l &HTTP _REFERER= - 
66.40.52.63 - Email: support@ruler-domains.com and 


thetrafficcontrol .net/in.egi?8 &seoref= &parameter= 
$keyword &se= &ur=l &HTTP _REFERER=, until the user is 
finally redirected to a fake PornTube portal big-tube-list 
.com/teens/xmovie.php?id=45048 - 216.240.143.7 - 
isaacdonn@gmail.com where malware is served from my- 
exe-profile .com/[6]streamviewer.45048.exe - 
66.197.171.6 - 

Email: michalevd@gmail.com. 

Upon execution, streamviewer phones back to 
reportsystem32 .com/senm.php?data= - 216.240.146.119 
terra-dataweb .com/senm.php?data=v22 - 
66.199.229.229 and dvdisorapid .com/senm.php? 
data=v22 - 64.27.5.202. 

Several related fake codec serving domains parked at 
216.240.143.7 are also currently active: 

get-mega-tube .com - Email: raymgnw95@gmail.com 

best-crystal-tube .com - Email: raymgnw95@gmail.com 

the-lost-tube .com - Email: hilachow@gmail.com 

sunny-tube-house .com - Email: hilachow@gmail.com 

proper-tube-site .com - Email: hilachow@gmail.com 

tube-xxx-work .com - Email: hilachow@gmail.com 

big-tube-list .com - Email: isaacdonn@gmail.com 

287 


2 

12 


A third campaign is using a single redirector to tangoing 
.info/cgi-bin/analytics?id = 917304 &k= - 91.207.61.48 - 

Email: dophshli@gmail.com to dynamically redirect visitors 
to pretty much all the scareware domains listed in [7]part 
twenty one of the diverse portfolio of fake security software 
series. Moreover, the very same email used to register the 
redirecting domain was also used to register a [8]payment 
processing gateway for scareware transactions in 

January, 2009. 

Yet another blackhat SEO operation maintained by the same 
group since February, 

2009 is fi97 

.net/jsr.php?uid = dir &group=ggl &keyword= &okw= 
&query=" + query+" referer="+escape(document.referrer) + " 

&href="+escape(location.href) + " &r=" + rzz+"'> 
< M +7scr"+"ipt>", which according to publicly obtainable 
statistics received approximately 138, 000 unique visitors in 
April, with 30.23 % coming from Google. 
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The [9]traffic hijacking of for the purpose of serving malware, 
using over a hundred different .us domains was in fact so 
successful that several [lOJwebmasters reported loosing 
[lljtheir organic search traffic due to [ 12]the content within 
the sites. The campaign then switched to a pharmaceutical 
theme using a Google search engine theme, with several 
static links to pharma scams, once again using the already 
established traffic redirections tactics. 


The redirectors in question petrenko .biz - 88.214.200.150 
- Email: olegoff@yandex.ru and myseobiz .net - 

67.225.158.16 - Email: 

3bd864dddbe4421ablll2a6ebc6df4fb.protect@whoisguard. 
com remain in operation. The 

bogus Google front page is advertising the following pharma 
domains: 

theusdrugs .com - 78.140.132.11, parked at the same IP 
are also more pharma domains: 
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medscompany .org 
canadian-rxpill .com 
bestyourpills .com 
rx-drugs-support .com 
payment-rx .com 
genericdrugs .in 
mendrugsshop .com 
healthrefill .com 
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It gets even more inter-connected and malicious since this 
very same gang is also the one responsible for the ongoing 


[13]malware campaign spreading scareware by using 
Twitter's trending topics. Let's establish a direct connection 
between the Ukrainian gang and the campaign. 

The TinyURL links used redirect to an identical domain - 
OOfreewebhost .cn - 211.95.79.115 - Email: louis- 
greenfield@gmail.com, where an iFrame is loading happy- 
tube-video .com/xplays.php?id=40030 - 216.240.143.7 

- Email: isaacdonn@gmail.com where [14]Mal/FakeAV-AY 
(streamviewer.40030.exe) is served, this time from 

exe-soft-files .com/streamviewer.40030.exe - 
66.197.171.6 - Email: michalevd@gmail.com. 
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This very same domain (happy-tube-video .com registered 
to isaacdonn@gmail.com) is part of the second PornTube fake 
codec campaign which I assessed above, this time pushed 
through the gang's blackhat SEO campaigns. 

Moreover, in a typical cybercrime-friendly style, the main 
malicious domain operated by the gang and used in 

the Twitter campaign - OOfreewebhost .cn - continues to 
load the malware serving domain despite that it's main index 
is serving a [15]fake account suspended notice - 11 This 
Account Has Been Suspended, This includes, but is not 
limited to overusing server resources, publishing adult 
content, or unauthorized posting of copyrighted material. 

Please contact our Support Team for more information. " 
Which is pretty amusing, since despite the fact that they're 
using an iFrame to point to a different location, they've left 
an animated GIF image of a fake codec hosted there - 


OOfreewebhost .cn/shmo/pl.gif 
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A second connection between the Ukraininan black SEO 
gang, Twitter's ongoing campaign and the [16]fake web 

hosting provider which I profiled yesterday can also be made. 

For instance, the [17]URL shortening service used in last 
week's campaign at Twitter a.gd/2524d9/ redirects to 
66.199.229 .253/etds/go.php?sid=43 and then to av- 
guard .net/?uid = 27 &pid=3 as well as to fast-antivirus 
.com which are the scareware domains exposed in the recent 
M [18]Fake Web Flosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot" post. The scareware 
obtained from it, as well as the scareware from the above- 
exposed PornTube campaign streamviewer.40030.exe 
also share the same phone back locations. 

Coming across yet another operation managed by them, 
namely, the ongoing Twitter trending topics hijacking 

attack, clearly demonstrates the impact this single group of 
individuals can have while multitasking at different fronts. 

And despite the numerous traffic acquisition tactics used, the 
monetization approach remains virtually the same - 

[19]scareware. 

1. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

2. http://ddanchev.blo as pot.com/2009/04/massive-blackhat- 
seo-campai a n-servin a .html 











3. http://blo a s.zdnet.com/securit v/? p = 3549 

4. 

http://www.virustotal.com/analisis/b6be40adcd5157dcfbcf8d 

332179dee6d2f9afb8c9a2 345 7d4e3034f849b9cl 0-12443 

22301 

5. 

http://www.virustotal.com/analisis/cl033da5d371cff01c92eb 

aa9f3252fe74c4ce9611273747289d803d44688be0-12444 
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Iranian Opposition DDoS-es pro-Ahmadinejad Sites 
(2009-06-16 12:53) 

































By utilizing the people's information warfare concept, Iranian 
opposition has managed to [l]successfully organize a 
cyber attack against Tehran's regime (complete 
analysis) by using Twitter, web forums, and localization 
(translation) of the recruitment messages in order to seek 
assistance from foreigners. 

So far, their rather simplistic denial of service tools has 
managed to disrupt access to key government web 

sites, and the intensity of the attacks is prone to increase 
since the opposition appears to be in a "learning mode". 
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What does "learning mode" stand for here? It's their current 
stage of experimentation clearly indicating their 
inexperience with such campaigns and DDoS attacks in 
general. The opposition's de-centralized chain of command 

isn't even speculating on the use of botnets, since the 
primitive multi-threaded Iranian connections hitting Iranian 
sites seems to achieve their effect. 
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From a strategic perspective, this internal unrest resulting in 
the disruption of key government web sites, the de-facto 
propaganda vehicles of the current government, is directly 
denying their ability to influence the population and the 
media, which on its way to find information is inevitably 
going to visit the working opposition web sites. 


Moreover, the majority of people's information warfare driven 
cyber attacks we've seen during the past two 

years, have all been orbiting around the scenario where a 
foreign adversary is attacking your infrastructure from all 
over the world. But in the current situation, it's Iran's internal 
network that's self-eating itself, where the trade off for 
denying all the traffic would be the traffic which could be 
potentially influenced through PSYOPs (psychological 
operations). 
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What has changed since [2]yesterday's real-time OSINT 
analysis? The web based "Page Rebooter" tool heavily 
advertised by the opposition has decided to stop offering the 
service due to the massive abuse: 

11 Unfortunately I have had to take the site down temporarily. 
The site was being used to attack other websites, until I can 
determine the source of these attacks, I have decided to 
keep it offline. My apologies to everyone who uses this site 
for it's intended purpose, hopefully we'll be back soon. I 
have now received several emails regarding this. 
Unfortunately, last night's spike in traffic cost me a lot of 
money in server costs, I therefore cannot afford to keep it 
online - 

even if the use is just. I have therefore decided to release the 
code for this site, so that you may create your own copies. 11 

Meanwhile, the opposition has come up with a segmented 
targets list including hardline news portals, official 

Ahmadinejad sites, Iranian law enforcement sites, banks, 
judiciary and transportation sites, aiming to recruit 


international supporters: 
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M ALL PEOPLE AROUND THE WORLD: 

Please help us in a full-scale cyberwar againts the dictatorial 
brutal government of Ahmadinjead! Help Iranians to earn 
back their votes per instructions below: 

Simply dick on few of the following links (better too choose 
your selections from different categories); it opens the site in 
a new tab. It will not stop you from browsing but by sending 
a refresh signal to the target site will saturate it. By doing so, 
we can block Ahmadinjead's governments flow of 
information in many of its key components as shown below. 
Please help us and yourself from this lunatic who will push 
the world to world war III. 11 
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Following the updated list of targets, a new [3]L0IC.exe DoS 
tool is being advertised. The tool is however, anything but 
sophisticated (it's been around since 6 Jul 2008) compared to 
even the average Russian DDoS bot. Combined, 

the simplistic nature of the opposition's attack tools indicates 
the lack of any in-depth understanding of information 
warfare principles, in times when other countries are already 
going beyond cyber warfare and aiming for the 

unrestricted warfare stage. 
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The Conspiracy Theory and the Facts 

How is the Iranian government/regime responding to these 
attacks, is it striking back to the fullest extend speculated in 
a countless number of cyber warfare research papers? 
Moreover, can it actually attack the "adversaries" which in 
this case reside within the country's own network? Can we 
easily compare this unpleasant situation from an 

information warfare perspective to the ongoing discussions 
whether or not the [4]Should the US Go Offensive In 

Cyberwarfare?, and "go offensive" against who at the first 
place? The hundreds of thousands of U.S based malware 
infected hosts operated by a foreign entity as the adversary 
[5]while using the targeted country's infrastructure as a 
human shield? 
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That's a dilemma that Iran's government is currently facing, 
but let's connect the dots and prove that the [6]Fars News 
Agency which is pro-Ahmadinejad, and maintains ties to the 
[7]lranian judiciary, has in fact participated in this 

" cyber warfare attack with sticks and stones". 

The Fars News Agency has been under attack since the 
beginning of the campaign, approximately 48 hours 

ago, prompting the site - just like many others - to switch to 
"lite" versions taking into consideration the ongoing attacks 
wasting the sites' bandwidth. 
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In a desperate attempt to influence the outcome of the DDoS 
attack, Fars News included iFrames pointing to 

opposition and anti-Ahmadinejad news sites 

(balatarin.com; ghalamnews.com and mirhussein.com) 

in order to redirect some of the attack traffic to them. The 
campaigners noticed the change, but upon confirming that 
the 

opposition's web sites remain online even with the iFrames in 
place, decided to continue the attack. 

The bottom line - when your very own infrastructure hates 
you, you become nothing else but an observer to the 
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declining propaganda exposure projections that you've once 
set, failing to anticipate the fully realistic scenario when the 
adversary that you've been fortifying to protect from, or have 
build sophisticated offensive capabilities to deal with, is in 
fact residing within your own infrastructure. Attempting to 
attack him or shut him down will only multiply the effect of 
his original campaign. 

[8] The net is vast and infinite. 

Recommended reading: 

[9] A CCDCOE Report on the Cyber Attacks Against Georgia 

[10] DDoS Attack Graphs from Russia vs Georgia's 
Cyberattacks 


[ll]The Russia vs Georgia Cyber Attack 
[ 12]Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth 

[13] People's Information Warfare Concept 

[14] Combating Unrestricted Warfare 

[15] The Cyber Storm II Cyber Exercise 

[16] Chinese Hacktivists Waging People's Information Warfare 
Against CNN 

[17] The DDoS Attacks Against CNN.com 

[18] China's Cyber Espionage Ambitions 

[19] North Korea's Cyber Warfare Unit 121 

[20] Chinese Hackers Attacking U.S Department of Defense 
Networks 

[21] Electronic Jihad v3.0 - What Cyber Jihad Isn't 

[22] Electronic Jihad's Targets List 

[23] A Cyber Jihadist DoS Tool 

[24] Teaching Cyber Jihadists How to Hack 

[25] Empowering the Script Kiddies 
[26JOSINTThrough Botnets 

[27] Corporate Espionage Through Botnets 

[28] Malware Infected Hosts as Stepping Stones 

[29] Hacktivism Tensions - Israel vs Palestine Cyberwars 



[30] The Current, Emerging, and Future State of Hacktivism 

[31] lnternet PSYOPS - Psychological Operations 
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From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

(2009-06-17 18:36) 

UPDATE: In less than half an hour upon notification, Twitter 
and Linkedln have already removed the bogus accounts. 

UPDATE2: Forty five minutes later Scribd removes the 
bogus accounts. 

As usual, persistence must be met with persistence. 

A single [l]blackhat SEO group - if well analyzed and 

monitored - has the potential to provide an insight into some 
of the current monetization tactics [2]which cybecriminals 


























use, as well as directly demonstrate the (automatic) impact 
they have across different Web 2.0 services. 
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What is my "[3]fan club" up to anyway? Covering up their 
weekend's Twitter campaign that was serving scareware by 
using a new template, and once again diversifying - this time 
by managing a bogus Linkedln accounts campaign, another 
one on Scribd, followed by another another currently active 
one on Twitter, in between increasing the size of their 
blackhat SEO farm at is-the-boss.com. 

Moreover, for the first time ever, the group is starting to 
serve live exploits based on a bit.ly URL shortening service 
referrer, like the ones used in the latest Twitter campaign. 

The use of Arbitrary file download via the Microsoft Data 
Access Components (MDAC) exploits is done to ultimately 
drop a new [4]Koobface variant, making this [5]the 

second time the group is pushing Koobface variants beyond 
Facebook. 

Let's summarize their activities during the past six days 
starting with the weekend's campaign across Twitter. 

Upon clicking on the TinyURL, the user is redirected through 
their well known 66.199.229 .253/etds (66.199.229 

.253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php? 
sid=41; 66.199.229 .253/etds/go.php?sid=43; 

66.199.229 

.253/etds/got.php?sid=43) traffic management location, to 
end up at the scareware av4best .net (64.86.17.47) with a 
new template is served ([6]FakeAlert-EA). 
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Parked on the same IP are also well known scareware 
domains known from their previous campaigns, namely 

fast-antivirus .com and viruscatcher .net. The scareware 
message used in the new template takes you back to the 
good old school MS-DOS days : 

11 A problem has been detected and windows has been shut 
down to prevent damage to your computer. 

Initialization_failed C:\WlNDOW5\system32\himem.sys 

if this is the first time you've seen this Stop error screen, 
restart the computer, if this screen appears again, read 
information below: The reason why this might happen is the 
newest malicious software which blocks access to the system 
libraries. Check to make sure any new antivirus software is 
properly installed. We suggest you to download and install 
antivirus, new up-to-date software which specializes on 
detection and removal of malicious and suspicious software. 


The messaged used in the weekend's Twitter campaign, as 
well as a graph on the peaks and downds for a par¬ 
ticular keyword: 

11 Competitions video; What do you think about video; I know 
why Percent Of Accounts; Between food and gay; movie 
Trailleri; Sun eclipce free; Air France extreem; Tetris long and 
sweet; Take sex under control; alcohol long and sweet; 


Between food and SATs; What do you think about Autotune; 
Gotcha!, Palm Pre!; Goodnight high 
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in the sky; What do you think about Hangover; Death of 
Autotune crack addict; Amazing, movie from MS FT; Amazing. 
Air France from MSFT; Sims 3, it's Cool!; video, It's Cool!; 
Manage Air France; Amazing, porn from MSFT; alcohol 
unbroken; Them girls Honduras; Between food and phish; 
Between food and Detroit; Tetris high in the sky; I know why 
iPhone; Futurama unbroken; Balls to the Woman Who Missed 
Air; alcohol high in the sky; follow the video " 

Sample (now suspended) automatically registered accounts 
used in the weekend's campaign: 

twitter .com/wenning351 

twitter .com/ula475 

twitter .com/escher338 

twitter .com/ochs40 

twitter .com/karlenl31 

twitter .com/cordes904 

twitter .com/hecker905 

twitter .com/bohl566 

twitter .com/sattler649 

twitter .com/hildegardll5 

twitter .com/andreas281 



twitter .com/wassermann38 
twitter .com/rummel980 
twitter .com/guilaine896 
twitter .com/orlowski781 
twitter .com/rupette972 
twitter .com/holzner473 
twitter .com/dumke576 
twitter .com/hilgers465 
twitter .com/heesel57 
twitter .com/meier679 
twitter .com/habel896 
twitter .com/holzinger567 
twitter .com/wilhelm578 
twitter .com/dearg450 
twitter .com/habicht717 
twitter .com/ferde373 
twitter.com/hass323 
twitter .com/heckmann918 
twitter .com/bruna555 


twitter .com/wilbert25 



twitter .com/eckart412 
twitter .com/sperlich374 
twitter .com/jahn562 
twitter .com/ludvig30 
twitter .com/bing274 
twitter .com/fett628 
twitter .com/brock93 
twitter .com/mally981 
twitter .com/merle752 
twitter .com/axmannlOl 
twitter .com/pelz478 
twitter .com/renaud687 
twitter .com/wienke879 
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twitter .com/hartinger619 
twitter .com/chriselda988 
twitter .com/kloos267 
twitter .com/dreyerl5 
twitter .com/herta740 


twitter .com/brauer427 
twitter .com/nadina732 
twitter .com/wenda245 
twitter .com/rieken434 
twitter.com/reinhardl92 
twitter .com/plathl32 
twitter .com/bick497 
twitter .com/johannsen747 
twitter .com/tacke432 

Besides the TinyURL links used, they've also returned to 
temporarily using their original .us domains such as twitter 

.8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 
5us .us - 82.146.51.25 - Email: elchip0707@mail.ru, and 
girlstubes .cn 82.146.52.158 - Email: 
alexvasilievl987@cocainmail.com with Alex Vasiliev's emails 
first noticed in the [7]Diverse Portfolio of Fake Security 
Software - Part Nine and again in [8]Part Twenty. 

Now it's time to assess their currently active campaigns 
across Twitter, Linkedln and Scribd, and connect the dots in 
the face of the single URL acting as a counter across all the 
campaigns - counteringate .com (194.165.4.77) which has 
already been profiled in their [9]original massive blackhat 
SEO campaign, and still remains active. 
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The automatically registered and currently active Twitter 
accounts participating in the campaign are as follows, it's 
also worth pointing out that compared to their previous 
campaigns, in this way they've included relevant 

backgrounds and avatars to the Twitter accounts: 

twitter .com/AshleyTisdall 
twitter .com/AnnaNicoleSmit 
twitter .com/ParisHiltonjpgl 
twitter .com/ParisHiltonmovl 
twitter .com/ParisHiltonNake 
twitter .com/ParisHiltonSexl 
twitter .com/ParisHiltonNud2 
twitter .com/ParisSexTape2 
twitter .com/Britneynipslipl 
twitter .com/Britneywomani 
twitter .com/Britneystripl 
twitter .com/BritneySex 
twitter .com/Britneycomix 
twitter .com/Britneywomaniz 
twitter .com/BritneyNaked2 
twitter .com/britneysextape 



twitter .com/BritneyxSpearsl 
twitter .com/Britneydesnudal 
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twitter .com/LopezAss 
twitter .com/jennifermorriso 
twitter .com/JenniferTilly2 
twitter .com/AnistonSexscen 
twitter .com/AnistonBangs 
twitter .com/JenniferTillyl 
twitter .com/Jennifernude 
twitter .com/JenniferConnel 
twitter .com/JenniferGarnerl 
twitter .com/LopezNaked 
twitter .com/AnistonSexiest 
twitter .com/JenniferAnisto4 
twitter .com/JenniferToastee 
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twitter .com/JenniferAnisto2 
twitter .com/LoveHewittl 
twitter .com/JenniferLoveHl 
twitter .com/JenniferGreyn 
twitter .com/lJenniferAnisto 
twitter .com/2JenniferAnisto 
twitter .com/lJenniferLopez 
twitter .com/Lopedesnudal 
twitter .com/ElishaCuthbert3 
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twitter .com/ElishaCuthbertl 
twitter .com/AlysonHannigan2 
twitter .com/AliciaMachado 
twitter .com/AMLarterNaked 
/twitter .com/AMLarterNude 
twitter .com/MelissaJoanha 
twitter .com/AishwaryaRaiNl 

Upon clicking on bit .ly/Je2Sd, the user is redirected to 
oymomahon .com/mirolim-video/3.html - 216.32.86.106 


Email: StaceyGuerreroSF@gmail.com, redirecting to 

myhealtharea .cn/in.cgi?13 and then to oymoma-tube 

.freehostia.com/x-tube.htm where the fake 
codec/scareware is served, downloaded from 

totalsitesarchive 

■ com/error.php?id = 62 - [10]Trojan.Win32.FakeAV.nz which 
once executed phones back to bestyourtrust 

.com/in.php?url = 5 &affid=00262 (209.44.126.241) parked 
at the same IP are also the following scareware domains: 
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uniqtrustedweb .com 
hortshieldpc .com 
securetopshield .com 
gisecurityshield .com 
ourbestsecurityshield .com 
intellectsecfind .com 
thesecuritytree .com 
godsecurityarchive .com 
besecurityguardian .com 
thefirstupper .com 
securityshieldcenter .com 


bitsecuritycenter .com 
joinsecuritytools .com 
hupersecuritydot .com 
bestyourtrust .com 
thetrueshiledsecurity .com 
souptotalsecurity .com 
scantrustsecurity .com 

The second bit .ly/la5ZsY link used in the Twitter 
campaign, is redirecting to showmealltube .com/paqi- 
video/7.html 

- 64.92.170.135 Email: zbestgotterflythe@gmail.com. 

From there, the redirector myhealtharea .cn/in.cgi?12 - 
216.32.83.110 - zbest2008@mail.ru again loads oymoma- 
tube.freehostia .com/tube.htm and most importantly the 
counter counteringate .com/count.php?id = 186 which is 
using [ll]an IP known from their previous campaign 
(194.165.4.77). 
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Time to move on to the Linkedln campaign, and establish a 
direct connection with the Twitter one, both maintained by 
the same group of cybercriminals. 

Currently active and participating Linkedln accounts: 

linkedin .com/in/rihannanude 


linkedin .com/in/rihannanude2 


linkedin .com/in/nudecelebs 
linkedin .com/in/britneyspearsnudee 
linkedin .com/in/pamelaandersonnudee 
linkedin .com/in/nudepreteen2 
linkedin .com/in/tilatequilanudee 
linkedin .com/pub/beyonce-nude/14/b/952 
linkedin .com/pub/child-nude/13/b4b/al6 
linkedin .com/in/nudemodels 
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linkedin .com/in/preteennude 
linkedin .com/in/mariahcareynude3 
linkedin .com/in/nudeboys 
linkedin .com/in/evamendesnude2 
linkedin .com/in/nudebeaches 
linkedin .com/in/nudebabes 
linkedin .com/in/nudewomen2 

linkedin .com/pub/ashley-tisdale-nude/13/b4b/762 
linkedin .com/pub/mila-kunis-nude/13/b4a/b99 


linkedin .com/pub/nude-kids/13/b4b/aa 
linkedin ,com/pub/young-nude-girls/13/b4a/6a 
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The Linkedin campaign is linking to the delshikandco 
.com, from where the user is redirected to the same domains 
used in the Twitter campaign, sharing the same celebrity 
theme - delshikandco .com/mirolim- 
video/3.html/delshikandco .com/paqi-video/l.html - 
216.32.83.104 leads to myhealtharea .cn/in.cgi?12 to 
finally serve the codec at ymoma- 
tube.freehostia.com/xxxtube.htm or at tubes- 
portal.com/xplaymovie.php?id=40012 - 

216.240.143.7, another [ 12]IP that has already been profiled 
part of their previous campaigns. 

Yet another nude themed campaign is operated by the same 
group at Scribd, linking to the already profiled 

delshikandco .com, used in both, Twitter's and Linkedln's 
campaigns. 
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Currently active and participating Scribd accounts: 

scribd .com/Stacy %20Keibler-nude 

scribd .com/Vanessa Hudgens %20nude 

scribd .com/Jessica %20 %20Simpson %20 %20nude 


scribd .com/MileyCyrus %20nude 

scribd .com/KimKardashian %20 %E2 %80 %98nude 
%E2 %80 %99 

scribd .com/Carmen %20 %20Electra %20nude 
scribd .com/Jennifer %20Anistonnude 
scribd .com/Paris-Hilton-nude3 
scribd .com/Vida %20 %20Guerra %20 %20nude 
scribd .com/nude2 

scribd .com/Kim %20 %20Kardashian %20nude 

scribd .com/ZacEfron %20nude 

scribd .com/BritneySpears %20nude 

scribd .com/Hilary-Duff-nude %202 

scribd .com/Angelina-Jolie-nudell 

scribd .com/Vanessa-Hudgens-nude2 

scribd .com/Natalie-Portman-nude2 

scribd .com/JessicaAlba %20nude 

scribd .com/Jennifer-Love-Hewitt-nude 11 
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scribd .com/Kim-Kardashian-nude2 


scribd .com/Jessica-Alba-nudells 

scribd .com/JENNIFER %20LOPEZ %20NUDE3 

scribd .com/Elisha %20 %20Cuthbert %20 %20nude 

scribd .com/Paris-Hilton-nudel 

scribd .com/HilaryDuff %20nude 

scribd .com/Megan-Fox-nude2 

scribd .com/Britney-Spears-nudel 

scribd .com/Candice %20 %20Michelle %20nude 
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scribd .com/Vanessa %20 %20Anne %20 %20Hudgens 
%20nude 

scribd .com/rihanna-nude2 

scribd .com/jenny %20Mccarthy %20nude 
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scribd .com/Brooke-Burke-nude2 
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scribd .com/DeniseRichardsnude 
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scribd .com/Billie %20Piper %20nude 
scribd .com/Rosario %20Dawson %20nude 
scribd .com/Anna %20Kournikova %20nude 
scribd .com/Jennifer-Love-Hewitt-nude2 
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scribd .com/Kate %20Winslet %20nude 

scribd .com/Carmen %20Electra %20nude 

scribd .com/Jennifer %20Love %20Hewitt %20nude 

scribd .com/Vida %20Guerra %20nude 

scribd .com/AnneHathaway %20nude 

scribd .com/JenniferLopez nude 

scribd .com/Trish %20Stratus %20nude 

scribd .com/Lindsay Lohannude 
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scribd .com/MariahCarey %20nude 
scribd .com/JohnCena %20nude 
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scribd .com/Madonna %20nude 

scribd .com/JenniferLopez %20nude 
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scribd .com/Celebrity %20nude 
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scribd .com/PamelaAnderson %20nude 

scribd .com/Anna %20Nicole %20Smithnude 

scribd .com/Meg %20Ryan %20nude 

scribd .com/Kate %20Hudsonnude 

Now that all the campaigns are exposed in the naked fashion 
of their themes, it's worth emphasizing on the 

live exploits serving Koobface samples based on a bit.ly 
referrer - in this case the process takes place through 
myhealtharea .cn/in.cgi?13, which instead of redirecting to 
scareware domain as analyzed above, is redirecting to fast- 
fluxed set of IPs serving identical [13]Koobface binary - 
myhealtharea .cn/in.cgi?13 loads r-cgl00609 

.com/go/?pid = 30455 &type=videxp (92.38.0.69) which 
redirectss to the live exploits/Koobface. 

Parked on 92.38.0.69 are also the following domains: 

er20090515 .com 


upr0306 .com 



cgpay0406 .com 
r-cgpay-15062009 .com 
r-cgl00609 .com 
trisem .com 
uprtrishest .com 
uprl5may .com 
rd040609-cgpay .net 

Dynamic redirectors from r-cgl00609 .com/go/?pid = 30455 
&type=videxp on per session basis: 

92.255.131 .217/pid=30455/type=videxp/?ch= &ea = 

92.255.131 .217/pid=30455/type=videxp/setup.exe 

76.229.152 .148/pid=30455/type=videxp/?ch= &ea = 

76.229.152 .148/pid=30455/type=videxp/?ch= 
&ea=/setup.exe 

189.97.106 .121/pid=30455/type=videxp/?ch= &ea = 
189.97.106 .121/pid=30455/type=videxp/setup.exe 
117.198.91 .99/pid=30455/type=videxp/?ch= &ea = 
117.198.91 .99/pid=30455/type=videxp/setup.exe 
79.18.18 .29/pid=30455/type=videxp/?ch= &ea = 
79.18.18 .29/pid=30455/type=videxp/setup.exe 
85.253.62 .53/pid=30455/type=videxp/?ch= &ea = 



85.253.62 .53/pid=30455/type=videxp/setup.exe 
79.164.220 .170/pid=30455/type=videxp/?ch= &ea = 
79.164.220 .170/pid=30455/type=videxp/setup.exe 
59.98.104 .129/pid=30455/type=videxp/?ch= &ea = 
59.98.104 .129/pid=30455/type=videxp/setup.exe 
78.43.24 .211/pid=30455/type=videxp/?ch= &ea = 
78.43.24 .211/pid=30455/type=videxp/setup.exe 
62.98.63 .254/pid=30455/type=videxp/?ch= &ea = 
62.98.63 .254/pid=30455/type=videxp/setup.exe 
84.176.74 .231/pid=30455/type=videxp/?ch= &ea = 
84.176.74 .231/pid=30455/type=videxp/setup.exe 
panmap 

.in/html/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 
114.80.67.32 - charicard@googlemail.com 
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Parked on 114.80.67.32 are also: 

managesystem32.com 

napipsec.in 

trialoc.in 

pbcofig.in 


pclxl.in 

ifxcardm.in 

ifmon.in 

panmap.in 

moricons.in 

oeimport.in 

ncprov.in 
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The served setup.exe (Win32/Koobface.BC; 
Worm:Win32/Koobface.gen!D;) samples phone back to a 
single location:- 

uprl5may .com/achcheck.php; uprl5may 
■ com/ld/gen.php - 92.38.0.69; 61.235.117 
.71/files/pdrv.exe To further demonstrate the group's 
involvement in these campaigns, two active campaigns at is- 

the-boss.com 

indicate that they're also using the newly introduced 
counteringate.com, however, parked on the same IP as a 

previously analyzed redirector maintained bot the group. 

A sample campaign is using the engseo .net/sutra/in.cgi?4 
&parameter=bravoerotica - 84.16.230.38 - Email: pop- 
kadyp@gmail.com as well as the warwork .info/cgi- 
bin/counter?id = 945706 &k=independent &ref= - 
91.207.61.48 


redirectors to load free-porn-video-free-porn 

.com/l/index.php?q = bravoerotica - 84.16.230.38 - Email: 
pop-kadyp@gmail.com serving [14]a fake codec, and is also 
using the universal counter serving maintained by group 

counteringate .com/count.php?id = 308. 

A second sampled campaign at is-the-boss.com points to a 
new domain that is once again parked at a well known 

[15]IP mainted by the gang - goldeninternetsites 
.com/go.php?id = 2022 &key=4c69e59ac &p = l - 
83.133.123.140 - 

327 


£ 


known from [16]previous campaigns. 

The redirectors lead to anti-virussecurity3 .com - 

69.4.230.204; 69.10.59.34; 83.133.115.9; 91.212.65.125 

with more typosquatted "[17]Personal Antivirus" scareware 
parked at these multiple IPs aimed to increase the life cycle 
of the campaign: 

bestantiviruscheck2 .com 

securitypcscanner2 .com 

fastpcscan3 .com 

goodantivirusprotection3 .com 

antimalware-online-scanv3 .com 


anti-malware-internet-scanv3 .com 


antimalwareinternetproscanv3 .com 

antimalwareonlinescannerv3 .com 

anti-virussecurity3 .com 

bestantispywarescanner4 .com 

fastsecurityupdateserver .com 

Personal Antivirus then phones back to startupupdates 
.com - 83.133.123.140 where more scareware is parked, with 
the domains known from previous campaigns: 

bestwebsitesin2009 .com 
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live-payment-system .com 
bestbuysoftwaresystem .com 
antiviruspaymentsystem .com 
bestbuysystem .com 
homeandofficefun .com 
advanedmalwarescanner .com 
allinternetfreebies .com 
goldeninternetsites .com 
primetimeworldnews .com 
liveavantbrowser2 .cn 
momentstohaveyou .cn 



worldofwarcry .cn 
awardspacelooksbig .us 

The affected services have been notified, blacklisting and 
take down of the participating domains is in progress. 

This post has been reproduced from [18]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2009/Q4/massive-blackhat- 
seo-campai a n-servin a .html 

2. http://ddanchev.blo as pot.com/2009/06/from-ukrainian- 
blackhat-seo- a an a -with.html 

3. http://ddanchev.blo as pot.com/2009/06/from-ukrainian- 
blackhat-seo- a an a -with 09.html 

4. 

http://www.virustotal.com/analisis/leb5fc834f22d5fle5d7d8 

2bflc7d4df2e584734dl9e82f72c7e7d45101143e2-12452 

45881 

5. http://ddanchev.blo as pot.com/2009/06/from-ukrainian- 
blackhat-seo- a an a -with_09.html 

6 . 

http://www.virustotal.com/analisis/576f4127e85ab6ce355f0e 

ec612bb0d24355f626e71ab6e2585a596e02563ecl-12448 

40273 

7. http://ddanchev.blo as pot.com/2008/10/diverse-portfolio- 
of-fake-securitv 16.html 






























8. http://ddanchev.blQ as Dot.com/2009/05/diverse-Portfolio- 
of-fake-securitv.html 


9. http://ddanchev.blo as pot.com/2009/Q4/massive-blackhat- 
seo-campai a n-servin a .html 

10 . 

http://www.virustotal.com/analisis/d8e886b0f36b03f54a2d5 

823ecbf4602333f69fb9ce6a5160e003088cc8b2bdb-12452 

18571 


11. http://ddanchev.blo as pot.com/2009/04/massive- 
blackhat-seo-campai a n-servin a .html 

12. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with_09.html 

13. 

http://www.virustotal.com/analisis/leb5fc834f22d5fle5d7d8 

2bflc7d4df2e584734dl9e82f72c7e7d45101143e2-12452 

53380 

14. 

http://www.virustotal.com/analisis/81ac44b2150e87850fc28 

d228f0a7680alb6d4fdl32217288417fed29ela45ee-12452 

19986 


15. http://ddanchev.blo as pot.com/2009/Q5/dissectin a -swine- 
f1u-black-seo-campai a n.html 

16. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

17. 

http://www.virustotal.com/analisis/50f23f314bd40d05bfed00 








































a042da936f98ffe7af81d52777a7952 7595 5a40ec6-l 2452 


21372 


18. http://ddanchev.blo as pot.com/ 
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A Peek Inside the Managed Blackhat SEO Ecosystem 
(2009-06-24 14:21) 

Ever wondered how are thousands of bogus accounts across 
multiple Web services, automatically generated with 

built-in monetization channels consisting of scareware, 
malware to the use of legitimate affiliate links from major ad 
networks? 

Through several clicks or if complete automation and 
experience count, through outsourcing the process to a 

managed blackhat SEO provider that wouldn't charge you for 
the product, but for the service offered. Let's take a peek at 
some of the currently available DIY tools, and what a 
managed blackhat SEO service provider has to offer. 
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Take for instance the "professional blackhat SEO" expert 
featured here. His ongoing [ljTwitter spam campaigns are in 
fact so successfully [2]hijacking trending topics that at first 
they looked like your typical scareware serving campaign. 






What both sides have in common are spamming techniques 
used. 

However, the tactics vary and indicate an interesting shift 
from the typical [3]outsourcing of CAPTCHA recognition for 
the purpose of storing the blackhat SEO content on the 
legitimate provider's services. In order to scale more 
efficiently, several currently active managed blackhat SEO 
providers that have vertically integrated to the point where 
they manage their own blackhat SEO friendly ISP. 

By doing so, their bogus account generating platforms are 
capable of achieving speeds that would be other- 
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wise either impossible or impractical to set as objectives 
through outsourced CAPTCHA-recognition - 2,931 bogus 
Wordpress accounts with template based blackhat SEO 
content generated in 1 second using their own managed 

infrastructure. The following screenshots provide an inside 
peek into one of the products offered by the "professional 
blackhat SEO expert" : 
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What took place in one second, was the generation of 
thousands of bogus accounts with descriptive blackhat SEO 

subdomains, with the bogus content pulled/scrapped from 
legitimate and real-time news providers, with the entire 
operation run as a managed service, or the tool itself offered 
for sale. As in every other managed underground 

service, customization plays a major role that is often the key 
benchmark forjudging a particular product next to another. 
Customization in respect to this particular tool comes under 
the form of numerous Wordpress templates 

that can be randomly used during the registration process: 
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Static customization is one thing, dynamic customization is 
entirely another. The product, and consequently the 
managed service are offering the ability to automatically add 
Ebay and Amazon listings with the user's unique affiliate 
code posted within the bogus content: 
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The practice of [4]affiliate network fraud - excluding the 
cybersquatting as a prerequisite for it success - was recently 
mentioned as a much more lucrative fraudulent practice than 
the pay-per-click model, which entirely depends on 

the fraudster's knowledge of which is the monetization 
model with the highest pay-out rates: 

11 Some companies offer legitimate affiliate programs that 
allow third-party Web site owners to post links and banners 
with the company's branded content on their site or to send 
traffic to the company's site directly through domain 
forwards. In return, the owner of the site hosting the link 
receives a commission for every click-through that results in 
a purchase. This lucrative commission structure has enticed 
cybercriminals to take advantage of affiliate programs by 
registering typo domains that redirect to legitimate content 
and enable them to collect affiliate fees. " 

Next to the maIware/scareware serving Twitter campaigns, 
affiliate network fraud is also very common at the 

ever-growing micro-blogging service, whose lack of common 
sense account registration practices - Twitter doesn't require 
a valid email, neither does it require an email confirmation 
upon registrating an account - makes the practice of 
generating bogus accounts a child's play. 

The bottom line - is the managed blackhat SEO hosting 
service ( $500 per month and $5000 for one year for 

unlimited domains/subdomains/traffic/disk space package) 
the future, or are we going to continue seeing the 

systematic abuse of legitimate service's infrastructure 
through outsourced CAPTCHA recognition? I'd go for the 
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second due to a simple reason - it's more cost-effective than 
the managed service at least for the time being. In the long 
term, once it achieves its logical "malicious economies of 
scale" the hosting and process would become cheaper 
thereby attracting more customers. 

Recommended reading - 

Outsourced CAPTCHA recognition: 

[5] Community-driven Revenue Sharing Scheme for CAPTCHA 
Breaking 

[6] The Unbreakable CAPTCHA 

[7] Spammers attacking Microsoft's CAPTCHA - again 

[8] Spam coming from free email providers increasing 

[9] Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers 

[10] Microsoft's CAPTCHA successfully broken 

[11] Vladuz's Ebay CAPTCHA Populator 

[12] Spammers and Phishers Breaking CAPTCHAs 

[13] DIY CAPTCHA Breaking Service 

[14] Which CAPTCHA Do You Want to Decode Today? 

Managed Cybercrime-facilitating services/tools: 

[15] Commercial Twitter spamming tool hits the market 

[16] Zeus Crimeware as a Service Going Mainstream 



[17] Managed Fast-Flux Provider 

[18] Managed Fast Flux Provider - Part Two 

[19] 76Service - Cybercrime as a Service Going Mainstream 

[20] lnside (Yet Another) Managed Spam Service 

[21 ]Inside a DIY Image Spam Generating Traffic Management 
Kit 

[22] Quality Assurance in a Managed Spamming Service 

[23] Managed Spamming Appliances - The Future of Spam 

[24] Dissecting a Managed Spamming Service 

[25] lnside a Managed Spam Service 

[26] Spamming vendor launches managed spamming service 
Cybersquatting/Per Pay Click Fraud: 

[27] Exposing a Fraudulent Google AdWords Scheme 

[28] Botnets committing click fraud observed 

[29] Click Fraud, Botnets and Parked Domains - All Inclusive 

[30] Cybersquatting Security Vendors for Fraudulent Purposes 

[31] Cybersquatting Symantec's Norton Antivirus 

[32] The State of Typosquatting - 2007 

This post has been reproduced from [33]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p = 3549 





2. http://ddanchev.blo as pot.com/2009/06/from-ukraine-with- 
scareware-servin a .html 

3. http://blo a s.zdnet.com/securit v/? o = 1835 

4. http://www.fairwindsoartners.com/en/newsroom/oress- 
releases/ i une-22-2009 

5. http://ddanchev.blo as pot.com/2009/Q2/communitv-driven- 
revenue-sharin a -scheme.html 

6. http://ddanchev.blo as pot.com/2008/Q7/unbreakable- 
ca otcha.html 

7. http://blo a s.zdnet.com/securit v/? o=1986 

8. http://blo a s.zdnet.com/securit v/? p=1514 

9. http://blo a s.zdnet.com/securit v/? p=1418 
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c vbercrime-as-service- a oin a .html 
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assurance-in-mana a ed-spammin a .html 

23. http://ddanchev.blo as pot.com/2007/10/mana a ed- 
s oammin a-ao piiances-future-of.html 

24. http://ddanchev.blo as pot.com/2008/Q7/dissectin a- 
mana a ed-spammin a -service.html 

25. http://ddanchev.blo as pot.com/2008/10/inside-mana a ed- 
s pam-service.html 

26. http://blo a s.zdnet.com/securit v/? p=1899 

27. http://ddanchev.blo as pot.com/20Q9/01/exposin a- 
fraudulent- a oo a le-adwords.html 
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29. http://ddanchev.blo as pot.com/2008/Q7/click-fraud- 
botnets-and-parked-domains.html 


30. http://ddanchev.blo as pot.com/2008/Q3/cvbersauattin a- 
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Ethiopian Embassy in Washington D.C Serving 
Malware - Part Two (2009-06-25 14:01) 

Can a lightning strike the same place twice? In the world of 
cybercrime, there's no such thing as a coincidence especially 
when it comes to multiple malware embedded embassy web 
sites during the past couple of months 

courtesy of a single group, with soft-drinks themed 
redirectors establishing a direct connection with a well 
known RBN domain from the not so distance past. 

Related posts: 

[1] Embassy of Portugal in India Serving Malware 

[2] Ethiopian Embassy in Washington D.C Serving Malware 

[3] USAID.gov compromised, malware and exploits served 
























[4] Azerbaijanian Embassies in Pakistan and Hungary Serving 
Malware 

[5] Embassy of India in Spain Serving Malware 

[6] Embassy of Brazil in India Compromised 

[7] The Dutch Embassy in Moscow Serving Malware 

[8] U.S Consulate in St. Petersburg Serving Malware 

[9] Syrian Embassy in London Serving Malware 

[10] French Embassy in Libya Serving Malware 

1. http://ddanchev.blo as Dot.com/2009/Q3/embassv-of- 
portu a al-im-iindia-servin a .html 

2. http://ddanchev.blo as pot.com/2009/Q3/ethiopian- 
embassv-in-washin a ton-dc.html 

3. http://blo a s.zdnet.com/securit v/? p = 2817 

4. http://ddanchev.blo as pot.com/2009/Q3/azerbai i anian- 
embassies-in-pakistan-and.html 

5. http://ddanchev.blo as pot.com/2009/01/embassv-of-india- 
in-spain-servin a .html 

6. http://ddanchev.blo as pot.com/20Q8/ll/embassv-of-brazil- 
in-india-compromised.html 

7. http://ddanchev.blo as pot.com/2008/01/dutch-embassv-in- 
moscow-servin a -malware.html 

8. http://ddanchev.blo as pot.com/2007/Q9/us-consulate-st- 
petersbur a -servin g .html 











































9. http://ddanchev.blo as pot.com/2007/09/svrian-embassv-in- 
london-servin a .html 


10. http://ddanchev.blo as pot.com/20Q7/12/have-vour- 
malware-in-timelv-fashion.html 
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Summarizing Zero Day's Posts for June (2009-07-01 
22:26) 

The following is a brief summary of all of my posts at ZDNet's 
[l]Zero Day for June. 

You can also go through previous summaries for [2]May, 
[3]April, [4]March, [5]February, [6]January, [7]De- 

cember, [8]November, [9]October, [lOJSeptember, 
[llJAugust and [12]July, as well as subscribe to my 
[13]personal RSS feed or [14]Zero Day's main feed. 

Notable articles include: [15]Microsoft study debunks 
profitability of the underground economy; [16]Overall 

spam volume unaffected by 3FN/Pricewert's ISP shutdown 
and [17]lranian opposition launches organized cyber 

attack against pro-Ahmadinejad sites. 

01. [ 18]EmaiI service provider: 'Flack into our CEO's email, 
win $10k' 
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02. [19]419 scammers using NYTimes.com 'email this 
feature' 

03. [20]Microsoft study debunks profitability of the 
underground economy 

04. [21]Malware poses as fake YellowsnOw iPhone unlocker 

05. [22]Cybercriminals hijack Twitter trending topics to serve 
malware 

06. [23]Overall spam volume unaffected by 3FN/Pricewert's 
ISP shutdown 

07. [24]Mac OS X malware posing as fake video codec 
discovered 

08. [25]Researchers demo wireless keyboard sniffer for 
Microsoft 27Mhz keyboards 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty Two (2009-07-03 18:34) 

Part twenty two of the diverse portfolio of fake security 
software series will summarize the typosquatted scareware 
serving domains currently in circulation, pushed through the 
usual distribution channels, but will also emphasize on the 
"money trail", namely the payment processing gateways 
used in the scareware campaigns. 

In this particular case the scareware front-ends ultimately 
leading to ChronoPay, which [l]Germany-based Pandora 
Software has been abusing since 2008 under its countless 
number of aliases such as Meyrocorp for instance. 
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The scareware domains are as follows: 

atomscan6 .info - 38.105.19.27 - Email: 
donboset@gmail.com 

Iistscan6 .com - Email: loiskiltz@gmail.com 
goscanedge .com - Email: subtenda@gmail.com 
goscanfine. com - Email: chirelqas@gmail.com 
in6ch .com - Email: relgetn@gmail.com 
goscanrich .com - Email: pathstals@gmail.com 
goscanrank .com - Email: alcnafuch@gmail.com 


ina6sk .com - Email: equatelepi@gmail.com 
in6sk .com - Email: thomas.truby@gmail.com 
goscanslim .com - Email: chinrfi@gmail.com 
gowidescan .com - Email: alcnafuch@gmail.com 
goedgescan .com - Email: subtenda@gmail.com 
gofinescan .com - Email: alcnafuch@gmail.com 
goelitescan .com - Email: funully@gmail.com 
gorichscan .com - Email: pathstals@gmail.com 
goslimscan .com - Email: chinrfi@gmail.com 
gosoonscan .com - Email: aloxier@gmail.com 
goironscan .com - Email: aloxier@gmail.com 
goflexscan .com - Email: alcnafuch@gmail.com 
gomanyscan .com - Email: alcnafuch@gmail.com 
goscaniron .com - Email: aloxier@gmail.com 
ina6co .com - Email: equatelepi@gmail.com 
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in6co .com - Email: thomas.truby@gmail.com 
goscantop .com - Email: funully@gmail.com 
ina6iq .com - Email: equatelepi@gmail.com 


goscanstar .com - Email: stgeyman@gmail.com 
goscanflex .com - Email: chirelqas@gmail.com 
goscanmany .com - Email: chirelqas@gmail.com 
scantrue6 .info - Email: jokinzer@gmail.com 
scantool6 .info - Email: jokinzer@gmail.com 
scanzoom6 .info - Email: jokinzer@gmail.com 
Iitescan6 .info - Email: litescan6.info 
truescan6 .info - Email: jokinzer@gmail.com 
toolscan6 .info - Email: jokinzer@gmail.com 
atomscan6 .info - Email: donboset@gmail.com 
genscan6 .info - Email: imendegal@gmail.com 
Iuxscan6 .info - Email: donboset@gmail.com 
wayscan6 .info - Email: jokinzer@gmail.com 
scanuser6 .info - Email: jokinzer@gmail.com 
scanway6 .info - Email: jokinzer@gmail.com 
scan6line .info - Email: jokinzer@gmail.com 
scan6note .info - Email: jokinzer@gmail.com 
scan6true .info - Email: jokinzer@gmail.com 
scan6tool .info - Email: jokinzer@gmail.com 
true6scan .info - Email: jokinzer@gmail.com 



tool6scan .info - Email: jokinzer@gmail.com 
top6scan .info - Email: jokinzer@gmail.com 
user6scan .info - Email: jokinzer@gmail.com 
Iist6scan .info - Email: jokinzer@gmail.com 
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way6scan .info - Email: jokinzer@gmail.com 

scan6user .info - Email: jokinzer@gmail.com 

scan6list .info - Email: jokinzer@gmail.com 

scan6fix .info - Email: jokinzer@gmail.com 

scan6way .info - Email: jokinzer@gmail.com 

It's pretty obvious case demonstrating the dynamics of the 
underground ecosystem. 

A thousand bogus ac¬ 
counts purchased for $10 used in a bulk registration of 
scareware serving domains on a revenue sharing affiliate 
model ends up in a win-win-win situation for the 
cybercriminals involved in these processes. The practice is 
becoming rather popular not only due to their interest in less 
centralization of the domain control under a single email 
address 

- cross checking reveals the entire portfolio managed under 
it - but due to the availability of the service. 


clean-pc-now .net - 94.75.233.162 - Email: 
robertsi monkroon@gmail.com 

fast-spyware-cleaner .org - Email: 
robertsi monkroon@gmail.com 

spyware-scaner .com - Email: 
robertsimonkroon@gmail.com 

scan-pc-now .com - Email: robertsimonkroon@gmail.com 
free-tube-porn .biz - Email: robertsimonkroon@gmail.com 
spyware-killer .biz - Email: robertsimonkroon@gmail.com 
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softportal-extrafiles .com - 64.20.38.172 

exe-profile .com - Email: kimwerner92@yahoo.com 

extrafiles-softportal .com - Email: 
opipkl@googlemail.com 

softportal-files .com - Email: kimwerner92@yahoo.com 

softportal-extrafiles .com 

load-exe-soft .com - Email: kimwerner92@yahoo.com 

exe-box .com - Email: normtroup@yahoo.com 

hot-exe-area .net - Email: josepetie@gmail.com 

spywarecomputerscanv2 .com - 69.10.59.35 - Email: 
huang@bark.edu.hk 


llive-antimalware-pro-scan .com - Email: 
hongkong@campusparis.org 

llive-antimalware-scanner .com - Email: 
hongkong@campusparis.org 

folderantispywarescanner .com - Email: 
xinhuawuhan@yahoo.com 

antivirushelpscanner .com - Email: info@brandturkey.com 

fastfolderscanner .com - Email: info@brandturkey.com 

mycomputerscanner .com - Email: 
vanmullem@yahoo.com 
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restricteddomainhelp .com - 83.133.124.81 - Email: 
franklinnig@yahoo.com 

msncoreupdate .com - Email: jen@parallelslive.cn 

world-payment-system .com - Email: 
info@yashitaindian.com 

liveinternetupdates .com - Email: 
kuzya77@freebbmail.com 

onlineantivirusmarket .com Email: podbisb@hotmail.com 

threats-scanner .com - 69.4.230.204 - Email: 
vanmullem@yahoo.com 

securitypcscanner2 .com - Email: 
office@actionaidinusa.org 


anti-virussecurity3 .com - Email: 
office@actionaidinusa.org 

private-online-scan .com - Email: info@kianah.org 

liveantivirusproscan .com - Email: 
second@freebbmail.com 

nolvirusscan .com - Email: info@kianah.org 

my-private-protection .com - Email: info@kianah.org 

scanmyfolders .com - Email: info@kianah.org 

scanmycomputerforvirus .com - Email: 
vanmullem@yahoo.com 

onlinescan-ultraantivirus2009 .com - 206.53.61.76 
relevantwebsearches .com 
virussweeper-scanvirus .com 
guardincorp .info 

mainsecsys .info - Email: andrew.fbecket@gmail.com 
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guardsecurity .info - Email: poljaykop@gmail.com 

virusalarm-scanvirus .net 

best-protect .info - 174.142.113.205 - Email: 
chainadmin@gmail.com 

best-protect-avl .info - Email: chainadmin@gmail.com 


best-antivirus-pc .info - Email: chainadmin@gmail.com 

best-avl-protect .info - Email: chainadmin@gmail.com 

avl-protect .info - Email: chainadmin@gmail.com 

avl-best-protect .info - Email: chainadmin@gmail.com 

best-protect .info - Email: chainadmin@gmail.com 

best-av .info - Email: chainadmin@gmail.com 

pay-virusshield .cn - 64.213.140.70 - Email: 
unitedisystems@gmail.com 

shieldinc .info 

systemprotectinc .info 

ironshield .info 

myofficeguard .info 

protectionurl .info 
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my-protection .info 


antivirus09 .net 


fast-antivirus.net 


virusshieldpro .com - 64.86.16.127 - Email: 
unitedisystems@gmail.com 

prestotuneup .com - Email: hycderxvur@whoisservices.cn 

virussweeper-scanvirus .com 

virusmelt .com - Email: nuhuarrczq@whoisservices.cn 

systemsec .info 
shieldinc .info 
myofficeguard .info 
protect-online .info 
protectionlol .info 
protectionurl .info 
virussweeper-scan .net 

advanced-virus-remover2009 .com - 92.241.176.188 - 
Email: masle@masle.kz 

trucount3005 .com - Email: 
chen.poonl732646@yahoo.com 

antivirus-scan-2009 .com - Email: 
cheng2009@yahoo.com 

antivirusxppro-2009 .com - Email: u@sochi.ru 
advanced-virusremover2009 .com - Email: giogr@ua.fm 



353 


£ 


bestscanpc .com 

trucountme .com - Email: valentin@gergiea.kz 

vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com 

vscodec-pro .com - Email: cyber38462@hotmail.com 

antivirus-2009-ppro .com - Email: 
cheng2009@yahoo.com 

onlinescanxppro .com - Email: 
chen.poonl732646@yahoo.com 

downloadavr .com - Email: gorbun@ua.fm 

bestscanpc .net 

activation-antivirus-software .com - 208.43.124.83 - 
Email: matlee@fsuk.edu 

fxantispy .com - Email: TycoonMichael@googlemail.com 

my-protection .info - 64.213.140.70 - Email: 
hop.davis@gmail.com 

protectonline .info - 64.86.17.47 - Email: 
hop.davis@gmail.com 

safetywwwtools .com - 209.44.126.36 - Email: 
martin.s.johnson@spambob.com 

defenderupdates2 .com - 89.248.168.46 - Email: 
china@seban.se 


securitytoolsdirect .com - 209.44.126.22 - Email: 
RuthMMarcotte@text2re.com 

best-antivirus-security .com - 84.16.237.52 - Email: 
valentinyermolaev@gmail.com 

malwaresdestructor .com - 206.53.61.74 
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suprotect .com - 89.149.212.218 - uuuuu@ua.fm 

threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 
; 78.47.172.66 - Email: vanmullem@yahoo.com 

antimalwareliveproscannerv3 .com - Email: 
vanmullem@yahoo.com 

antivirus-online-pro-scan .com - Email: 
vanmullem@yahoo.com 

avpro-labs .com - 213.182.197.229 

avprotectionstat .com - 74.50.99.236 

explorerfilescan .com - 63.223.110.178; 78.47.132.221; 
78.47.172.68 Email: xinhuawuhan@yahoo.com 

antivirushelpscanner .com A 83.133.125.116; 
69.10.59.35; 83.133.125.116 - Email: 
info@brandturkey.com 

fastfolderscanner .com - Email: info@brandturkey.com 

mycomputerscanner .com - Email: 
info@brandturkey.com 


mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru 
internetware-safe .com - Email: candikeller@ya.ru 

scanonlinesite .info - 66.148.74.126 
scanonlineblog .info 
scanonlineshop .info 
scanonlinenow .info 

youravprotection .com - 74.50.98.162 - Email: 
armandgregory3@gmail.com 

registerantivirus .com Email: ed.areyra@gmail.com 

avprotectionstat .com 

avagent-pro .com - 83.133.126.46 - Email: 
dwrdcardenas95@gmail.com 

downloads-123 .com - Email: 
dwrdcardenas95@gmail.com 

soft-process .com - Email: dwrdcardenas95@gmail.com 
download-123 .cn - Email: dwrdcardenas95@gmail.com 
actupdate .net - Email: dwrdcardenas95@gmail.com 
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Now the emphasis on the payment gateways, currently 
active and processing the scareware transactions: 


softwaresecuredbilling .com - 209.8.45.122 - 
Temchen koViktor@googlemail.com 

softsales-discount .com - Email: 
daunrwwciq@whoisservices.cn 

best-internet-payments .com - 209.8.45.148 - Email: 
specsupport@gmail.com 

adioro .com - 213.174.152.32 - Email: 
xyhsbjlrl@whoisprivacyprotect.com 

secure-plus-payments .com - 209.8.25.204 - Email: 
sparckOOO@mail.com 

secure.pnm-software .com - 209.8.45.124 - Email: pnm- 
software.com@liveinternetmarketingltd.com 

soft-process .com - 83.133.126.46 - Email: 
XtPbtP@privacypost.com 

privatesecuredpayments .com - 78.46.216.238 - Email: 
TemchenkoViktor@googlemail.com 
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These payment processing gateways are sometimes front- 
end to the original and often legitimate payment proces¬ 
sors. In this particular case, the the legitimate processor is 
Netherlands-based ChronoPay, which is known to have 
been used in the past by affiliates in the scareware affiliate 
model in the past, with several complaints for repeated 
credit card billing, which in reality is included in the 
scareware's Terms of Service. 


Upon a successful purchase - the customer is told that" 

This charge will appear on your card statement as 

CHRPay.com/ducforceide ". Interestingly, Pandora 
Software has also been using the following ChronoPay 
accounts for over an year - Chrpay.com/meyrocorp; 
CHrpay.com/pnra using [2]disconnected numbers, 
CallerlD's of [3]scareware operations, desperate attempts to 
contact the alias for [4]the front-end payment processor, 
ultimately resulting in [5]several hundred ChronoPay 
related complaints. 

Next to scareware, ChronoPay (Pavel Vrublevsky acting as 
CEO) is also known to have been used in [6]a mobile 
application scam dissected here, as well as being a victim of 

[7] a DDoS attack in 2008, which is pretty logical since if 
ChronoPay is the payment processor of choice for the 
hundreds of thousands of scareware generated revenues on 
daily basis, the commissions ChronoPay takes from 
cybercriminals would be more than welcome in the 
competing 

payment processor's network. 

Related posts: 

[8] Dissecting a Swine Flu Black SEO Campaign 

[9] Massive Blackhat SEO Campaign Serving Scareware 

[10] From Ukrainian Blackhat SEO Gang With Love 
357 

[11] From Ukrainian Blackhat SEO Gang With Love - Part Two 



[12] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[13] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

[14] A Diverse Portfolio of Fake Security Software - Part 
Twenty One 

[15] A Diverse Portfolio of Fake Security Software - Part 
Twenty 

[16] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 

[17] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[18] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 

[19] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[20] A Diverse Portfolio of Fake Security Software - Part 
Fifteen 

[21] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[22] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[23] A Diverse Portfolio of Fake Security Software - Part 
Twelve 

[24] A Diverse Portfolio of Fake Security Software - Part 
Eleven 



[25] A Diverse Portfolio of Fake Security Software - Part Ten 

[26] A Diverse Portfolio of Fake Security Software - Part Nine 

[27] A Diverse Portfolio of Fake Security Software - Part Eight 

[28] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[29] A Diverse Portfolio of Fake Security Software - Part Six 

[30] A Diverse Portfolio of Fake Security Software - Part Five 

[31] A Diverse Portfolio of Fake Security Software - Part Four 

[32] A Diverse Portfolio of Fake Security Software - Part Three 

[33] A Diverse Portfolio of Fake Security Software - Part Two 

[34] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [35]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as DOt.com/20Q9/Q6/cliverse-portfolio- 
of-fake-securitv.html 

2. http://www.complaintsboard.com/complaints/billed-for- 
more-than-asked-for-c87068.html#c253625 

3. 

http://www.complaintsboard.com/complaints/chr pa vcomduc 

forceide-c221036.html 

4. 

http://online.ws i .com/article/SB1239762304Q7519659.html 


















5. http://www.ripoffreport.com/searchresults.as p? 
a 5=CHRPav.com&al=ALL&a4=&a6=&a3=&a2=&a7=&sea 
rcht v pe=0&submit2 

= Search%21 

6. http://ddanchev.blo as pot.com/2QQ8/Q7/mobile-malware- 
scam-isexplaver-wants.html 

7. 

http://www.kommersant.com/p8763Q9/r_5QQ/electronic_ pav 
ment processin g / 

8. http://ddanchev.blo as pot.com/2QQ9/Q5/dissectin a -swine- 
f1u-black-seo-campai a n.html 

9. http://ddanchev.blo as pot.com/2QQ9/Q4/massive-blackhat- 
seo-campai a n-servin a .html 

10. http://ddanchev.blo as pot.com/20Q9/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

11. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukrainian- 
blackhat-seo- a an a -with 09. hr ml 

12. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukraine- 
with-scareware-servin a .html 

13. http://ddanchev.blo as pot.com/2QQ9/Q6/fake-web- 
hostin a- provider-front-end-to.html 

14. http://ddanchev.blo as pot.com/2QQ9/Q6/diverse- 
portfolio-of-fake-securitv.html 

15. http://ddanchev.blo as pot.com/2QQ9/Q5/diverse- 
portfolio-of-fake-securitv.html 


























































16. http://ddanchev.blo as pot.com/2QQ9/Q4/diverse- 
portfolio-of-fake-securitv_16.html 

17. http://ddanchev.blo as pot.com/2QQ9/Q4/diverse- 
portfolio-of-fake-securitv.html 

18. http://ddanchev.blo as pot.com/2QQ9/Q3/diverse- 
portfolio-of-fake-securitv_31.html 

19. http://ddanchev.blo as pot.com/2QQ9/Q3/diverse- 
portfo l io-of-fake-secur it v.html 

20. http://ddanchev.blo as pot.com/2009/Q2/diverse- 
portfolio-of-fake-securitv.html 

21. http://ddanchev.blo as pot.com/2QQ9/Ql/diverse- 
portfolio-of-fake-securitv.html 

358 

22. http://ddanchev.blo as pot.com/2QQ8/ll/diverse- 
portfolio-of-fake-securitv 12.html 

23. http://ddanchev.blo as pot.com/2QQ8/ll/diverse- 
portfolio-of-fake-securitv.html 

24. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfo l ro-of-fake-securitv 28.html 

25. http://ddanchev.blo as pot.com/20Q8/lQ/diverse- 
portfolio-of-fake-securitv 22.html 

26. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv 16.html 

27. http://ddanchev.blo as pot.com/2QQ8/lQ/diverse- 
portfolio-of-fake-securitv.html 


















































28. http://ddanchev.blo as DOt.com/2QQ8/Q9/diverse- 
portfoliio-of-fake-securitv 3Q.html 

29. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfolio-of-fake-securitv 24.html 

30. http://ddanchev.blo as pot.com/2QQ8/Q9/diverse- 
portfol [o-of-fake-securitv.html 

31. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv 25.html 

32. http://ddanchev.blo as pot.com/20Q8/Q8/diverse- 
portfolio-of-fake-securitv 20.html 

33. http://ddanchev.blo as pot.com/20Q8/Q8/diverse- 
portfolio-of-fake-securitv.html 

34. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 

35. http://ddanchev.blo as pot.com/ 

359 


£ 


The Multitasking Fast-Flux Botnet that Wants to 
Bank With You (2009-07-07 07:28) 

From a Chase phishing campaign, to a [l]bogus Microsoft 
update, and an exploit serving spam campaign using a 

"Who Killed Michael Jackson?" theme prior to his death (go 
through related [2JMichael Jackson malware campaigns), to 
a currently ongoing phishing campaign impersonating the 
United Services Automobile Association (USAA), the 
































gang behind this botnet has been actively multitasking 
during the past two months. 
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The spam message is as follows: 

" Michael Jackson Was Killed... But Who Killed Michael 
Jackson? Visit X-Files to see the answer: MJackson.kilijj 
.com/x-files", upon clicking on it the user is redirected to 
two exploit serving domains - ogzhnsltk 
.com/plugins/index.php (94.199.200.125 Email: 
osaltik@windowslive.com); and dogankomurculuk 
.com/stil/index.php (91.191.164.100 - 

Email: by.yasin@msn.com). 

Through the use of an Office Snapshot Viewer exploit the 
user is the exposed to a [3]downloader (x-file- 

MJacksonsKiller.exe) which attempts to drop a copy of the 
Zeus malware from labormi .com/lbrc/lbr.bin 

(91.206.201.6). The following is an extensive list of the 
participating domains, as well as the currently active and 
fast-fluxing DNS servers part of the botnet: 
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List of participating domains: 

kilijl .com 


ilkill .com 


ilkifi .com 


kililj .com 
killjj .com 
kilijj .com 
kikijj .com 
kilijj .com 
kilijj .com 
lilikj .com 
ilkilk .com 
ilkllk .com 
ilkilk .com 
ilkilk .com 
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kilijl .net 
ilkill .net 
kililj .net 
kilijj .net 
kilijj .net 
kilijj .net 


kilijj .net 
lilikj .net 
ilkilk .net 
ilkllk .net 
ilkilk .net 
ilkilk .net 
ilifi.com .mx 
lfFli.com .mx 
iljihli.com .mx 
hhili.com .mx 
hilli.com .mx 
kifFil.com .mx 
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Michael Jackson related subdomains 

mjackson.ijjikl .com 
mjackson.ijjill. com 
mjackson.kjjill .com 
mjackson.ikjill .com 
mjackson.ijkill .com 


mjackson.ijjkll .com 
mjackson.ikilij .com 
mjackson.ikklij .com 
mjackson.ikilkj .com 
mjackson.ikilfk .com 
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mjackson.ijjilk .com 
mjackson.ijjill .com 
mjackson.ijjikl .net 
mjackson.ijjill .net 
mjackson.ikjill .net 
mjackson.ijkill .net 
mjackson.ijjkll .net 
mail.ikilij .net 
mjackson.ikilij .net 
mjackson.ilifi .com.mx 
mjackson.iljihli .com.mx 
mjackson.hhili .com.mx 
mjackson.hilli .com.mx 


Microsoft related subdomains: 
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update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 

update.microsoft.com 
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.hlhili.com 

.ijlklj.com 

.hillij.com 

.hillkj.com 

.ikillif.net 

.jikikji.net 

.hillij.net 

.hillik.net 

.ikihill.net 

.ilifi.com.mx 

.iljihli.com.mx 

.hilli.com.mx 

. kiffil.com.mx 


USAA.com related phishing subdomains: 

www.usaa.com.kihhif .com 
www.usaa.com.kihhih .com 


www.usaa.com.kihhik .com 


www.usaa.com.kihhil .com 
www.usaa.com.kihhik .net 
www.usaa.com.kihhil .net 
www.usaa.com.hilli.com .mx 
www.usaa.com.frtll.com .mx 
www.usaa.com.mrtll.com .mx 
DNS Servers of notice: 
nsl.vine-prad .com 
ns2.vine-prad .com 
nsl.blacklard .com 
nsl.fax-multi .com 
ns2.fax-multi .com 
nsl.rondonman .com 
ns2.rondonman .com 
nsl.host-fren .com 
ns2.host-fren .com 
nsl.hotboxnet .com 
ns2.hotboxnet .com 
nsl.free-domainhost .com 



ns2.free-domainhost .com 
nsl.sunthemoow .com 
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ns2.sunthemoow .com 
nsl.high-daily .com 
ns2.high-daily .com 
nsl.otorvald .net 
nsl.red-bul .net 
ns2.red-bul .net 
nsl.footdoor .net 
nsl.bestdodgeros .net 
ns2.bestdodgeros .net 
nsl.azdermen .com 
ns2.azdermen .com 
nsl.departconsult .com 
ns2.departconsult .com 
nsl.torentwest .com 
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ns2.torentwest .com 


nsl.downlloadfile .net 


ns2.downlloadfile .net 

Due to this botnet's involvement with several other malware 
campaigns of notice, as well as its evident con¬ 
nection with the ongoing monitoring of several particular 
cybecrime groups, analysis and updates will be posted as 
soon as they emerge. 

Related posts: 

[4] Money Mule Recruiters use ASProx's Fast Fluxing Services 

[5] Managed Fast Flux Provider - Part Two 

[6] Managed Fast Flux Provider 

[7] Storm Worm's Fast Flux Networks 

[8] Fast Flux Spam and Scams Increasing 

[9] Fast Fluxing Yet Another Pharmacy Spam 

[10] Obfuscating Fast Fluxed SQL Injected Domains 

[lljStorm Worm Hosting Pharmaceutical Scams 

[12]Fast-Fluxing SQL injection attacks executed from the 
Asprox botnet 

This post has been reproduced from [13]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p = 3648 

2 . httP://blo a s.zdnet.com/securit v/? p = 3682 








3. 


http://www.virustotal.com/analisis/d654ce275154QQ4c70d4 

2d4cebc8437070e4988b2774075151el7b275165736a- 

12469 

20353 

4. http://ddanchev.blo as pot.com/2QQ8/07/monev-mule- 
recruiters-use-asoroxs-fast.html 

5. http://ddanchev.blo as pot.com/2Q08/lQ/mana a ed-fast- 
f1ux-provider-part-two.html 

6. http://ddanchev.blo as pot.com/2QQ7/ll/mana a ed-fast- 
f1ux-provider.html 

7. http://ddanchev.blo as pot.com/2QQ7/09/storm-worms-fast- 
f1ux-networks.html 


8. http://ddanchev.blo as pot.com/20Q7/lQ/fast-f1ux-spam- 
a nd-scams-mcreasin a .html 

9. http://ddanchev.blo as pot.com/2QQ7/10/fast-f1uxin g-vet- 
another-pharmacv-scam.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q7/obfuscatin a -fast- 
f1uxed-sal-in i ected.html 

11. http://ddanchev.blo as pot.com/2QQ8/Q5/storm-worm- 
hostin a- pharmaceutical-scams.html 

12. http://blo a s.zdnet.com/securit v/? p=1122 

13. http://ddanchev.blo as pot.com/ 
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Legitimate Software Typosquatted in SMS Micro- 
Payment Scam (2009-07-07 14:07) 

Operating since [1]2008, the fraudulent [2]tactics applied 
by Soletto Group, S.A also known as Netlink Network 
Corp, greatly remind of those applied by [3]lnteractive 
Brands also known as IBSOFTWARE CYPRUS; IB 
Softwares and most recently Euclid Networks Ltd - you 
have to appreciate the irony here since they too multitask 
on multiple fronts [4]through their official phone number 
since 2007 - in particular their massive typosquatted 
domain farms where they'd would change and repeatedly 
charge without permission once someone falls victim into 
the fraudulent practice. 
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What Soletto Group, S.A or Netlink Network Corp 

(phone (0) 2071939823) does differently is the use of micro 
sms payment scam having operated the [5]SMS numbers 
78881 and 81039 in the past in order to offer a download 

service for legitimate software in the following way: 

11 WARNING: ACCESS TO THE PREMIUM SERVICE SHALL 
REQUIRE SENDING ONE SMS PER DOWNLOAD >, AND 

YOU WILL RECEIVE TWO SMS. THE PRICE OF EACH SMS IS 
THREE POUNDS EACH. TOTAL COST OF SERVICE SIX 

POUNDS. " 
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Who's typosquatted anyway? Pretty much each and every 
popular piece of software there is. From Kaspersky, 
NOD32, Malware Bytes, Avira, AVAST, BitDefender, to 
Firefox, BitTorrent, Microsoft Office, Winzip, Winrar, 
and Internet Explorer - for starters. 

Here's a complete list of their domains farm, with hosting 
services courtesy of Rapidswitch Ltd: 
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nod32soft .info 
malware-bytes .info 
www-avasthome .com 
www.www-avasthome .com 
kaspersky-full .info 
www-kaspersky .info 
malware-bytes .info 
www.avira-antivir .info 
bitdefender-plus .info 
office2007-full .info 
sopcast-full .info 
Iphant-plus .info 


adobeacrobat-plus .info 
bitcomet-plus .info 
bitdefender-plus .info 
bittorrent-plus .info 
elisoft-plus .info 
mediaplayer-plus .info 
messenger-msn-9 .com 
messenger-msn-9 .info 
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messenger-msn-9 .org 
messenger-msn .org 
messenger-plus .net 
moviemaker-plus .info 
msn-messenger-9 .com 
msn-messenger-9 .info 
msn-messenger-9 .net 
msn-messenger-9 .org 
openoffice-plus .info 
photoscape-plus .info 


sopcast-plus .info 
utorrent-plus .info 
3gpconverter-plus .info 
3gpconvertersoft .info 
ares-2008 .org 
ares-2009 .com 
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ares-2009 .net 
ares-net .org 
avira-net .info 
bitcomet-plus .info 
bitorrent .cc 
bittorrent-net .info 
bittorrent-plus .info 
direct-x .cc 
divx-player-plus .info 
e-mule .nu 
elisoft-plus .info 
emule-2008 .net 
emule-proyect .info 



emulenet .net 


iexplorer-full .info 
iphonefull .com 
javaruntime .net 
Iyrics2 .me 
malware-bytes .info 
mediaplayer-full .info 
mediaplayer-plus .info 
mesengerplus .org 
messenger-9 .net 
messenger-plus .net 
messenger-soft .info 
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moviemaker-plus .info 
msn-messenger-9 .net 
msn-messenger-9 .org 
nero-2008 .com 
nerohome .net 


nod-32 .net 


nod32-net .info 


office2007-ful l.info 
openoffice-plus .info 
photoscape-plus .info 
photoscapesoft .info 
pspvideo9 .info 
sorpresor .com 
spybotsearch-full .info 
utorrent-net .info 
virtualdj-soft .info 
vlc-full .info 
vvinrar .com 
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vvinrar .info 
winamp-2009 .net 
winamp .ws 

windows-movie-maker .info 
winrar-2008 .com 
wiinzip .info 


cdburnerxpsoft .info 
www-emule .us 
ultradefrag .us 
bearflix .us 
guitar-pro .us 
messenger-2009 .us 
emule-telecharger .us 
aresnet.us 
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emulenet .us 
emulepro .us 
nerohome .us 
vvinrar.us 
aresfull .us 
avastt .us 
biaze .us 
e-bitdefender .us 
e-bitorrent .us 
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e-mule .us 


flrefox .us 

messengerhome .us 

utorent.us 

utorren .us 

winzipp .us 

cccpcodecs.org 

ares-2008 .org 

pdf-creator .org 

limevvire .org 

mesengerplus .org 

w-ares .org 

w-emule .org 

www-3gpconverter .org 

www-advanced .org 

www-emule .org 

www-messenger .org 

www-realplayer .org 

www-windowsmediaplayer .org 

ares-3 .org 



ares-net .org 
chroome .org 
emule-pro .org 
messenger-msn-9 .org 
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A similar [6]fraudulent Google AdWords scheme was 
exposed and taken care of in January. The fraudster back 

then was using a legitimate third-party revenue sharing 
toolbar installation program which was bundled within 

the legitimate software. In Soletto Group, S.A's case they 
aim to cut any intermediaries on their way to generate 
profit. 

Rapidswitch Ltd has been informed of Soletto Group, 

S.A's [7]brandjacking activities. 

This post has been reproduced from [8]Dancho Danchev's 
blog. 

1 . 

http://www.lavasoft.com/mvlavasoft/securitvcenter/blo a /all/ 

200902 

2 . 

http://www.avertlabs.com/research/blo a /index. ph p/2009/01/ 

23/pa v-to-install-free-software/ 

3. http://ddanchev.blo as pot.com/2008/03/cvbersauattin a- 
securitv-vendors-for.html 


















4. http://800notes.com/Phone.aspx/l-8QQ-448-2755 


5. http://torrentfreak.com/bittorrent-scam-shutdown-after- 
sms-re a ulations-breach-090127/ 

6. http://ddanchev.blo as pot.com/2Q09/Ql/exposin a- 
fraudulent- a oo a le-adwords.html 

7. http://blo a s.zdnet.com/securit v/7 p = 1240 

8. http://ddanchev.blo as pot.com/ 
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Transmitters Mobile Malware in the Wild (2009-07- 
08 20:02) 

A 

currently 

spreading 

[l]mobile 

malware 

known 

as 

Transmitter.C 

(sexySpace.sisx; 

















MD5: 


3e9b026a92583c77e7360cd2206fbfcd), has 
[2]brandjacked a legitimate application in an attempt to 
infect the 

initial number of devices that would later on further 
disseminate it by aggressively SMS-ing messaged to the 
web site hosting it - megacljck .com (64.22.120.235) 
Email: weijiangl98@hotmail.com. 

Upon execution it drops the following files in an attempt to 
infect S60 3rd Edition devices: 

" c _sys\bin\lnstaller_0x20026CA6.exe"c:\sys\bin\lnst alter 
_0x20026CA6.exe", FR, Rl, RW 

"c _sys\bin I AcsServer. exe 
"c:\sysextbackslashbin\AcsServer.exe", FR, Rl 

"c_private\101 f875a I import\[20026 CA5].rsc 
"c:\private\101 f875a\i mport\[20026CA5].rsc" 

What's sad is that just like the majority of mobile malware 
incidents, this one is also digitally signed using a certificate 
issued by Symbian to the name of XinZhongLi Kemao Co. 
Ltd or vendor name "Play Boy". 
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The sample (Sexy Space or SYMBOS _YXES. B) has been 
distributed to vendors, and the ISP hosting it has been 
informed. 


Related posts: 


[3]Proof of Concept Symbian Malware Courtesy of the 
Academic World 

[^Commercializing Mobile Malware 

[5] Mobile Malware Scam iSexPlayer Wants Your Money 

[6] SMS Ransomware Source Code Now Offered for Sale 

[7] 3rd SMS Ransomware Variant Offered for Sale 

This post has been reproduced from [8]Dancho Danchev's 
blog. 

1. httP://blo a s.zdnet.com/securit v/? p = 3713 

2. http://www.netain.com/en a lish/mobile-malware-report. isp 

3. http://ddanchev.blo as pot.com/2QQ6/ll/proof-of-conce pt- 
s vmbian-malware.html 

4. http://ddanchev.blo as pot.com/2007/Q5/commercializin a- 
mobile-malware 18.html 

5. http://ddanchev.blo as pot.com/2008/07/mobile-malware- 
sea m-isexplaver-wants.html 

6. http://ddanchev.blo as pot.com/2009/Q5/sms-ransomware- 
source-code-now-offered.html 

7. http://ddanchev.blo as pot.com/2Q09/Q5/3rd-sms- 
ransomware-variant-offered-for.html 


8. http://ddanchev.blo as pot.com/ 




























Dissecting Koobface Worm's Twitter Campaign 
(2009-07-15 16:49) 

My M [l]fan club" is at it again - abusing Web 2.0 in an 
automated fashion. A new Koobface variant, modified by a 

[2] Cyrillic-aware cybercriminal going under the handle of " 

[3] floppy M - it has also been injected within legitimate sites 
- has started [4]using Twitter as a distribution channel for 
the group as of last week. 

Hundreds of users infected with Koobface and using Twitter, 
are now automatically tweeting links to their fol¬ 
lowers in an attempt by the Koobface gang - evidence on 
my fan club's involvement keeps popping up like 

mushrooms - to abuse the much more insecure micro¬ 
blogging service in comparison with their original traffic 

acquisition Facebook, where they had to adapt and 
[5]outsource the CAPTCHA-solving process. 
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The Twitter campaign is different in the sense that the 
Koobface serving URLs generate random strings in an 
attempt to defeat [6]generic detection which is still possible 
due to the [7]template-ization of malware serving sites. 

The Koobface serving links themselves are a combination of 
purely malicious and compromised legitimate web sites, 
serving a slightly modified fake YouTube page, and using a 
well known - maintained by the fan club - [8]command and 
control/redirector domains (119.110.107 
.137/redirectsoft/go/tw.php; 61.235.117 


.71/redirectsoft/go/tw.php) found in their previous 
campaigns. This particular campaign provided factual 
evidence on the direct connection 

between the group and several [9]Twitter, Linkedln and 
Scribd malware campaigns, where scareware and Koobface 

variants were served. 

The following is a complete list of the Koobface URLs used i 
the Twitter campaign: 

64.37.106 .170/myfilm/ 

66.206.9 .169/privateaction/index.php 

asachi.evolink .ro/bestdvd/ 

aspompierul.zzl .org/freeperformans/ 

aspompierul.zzl .org/publicclips/ 

bit. ly/ w4ITQ 

bodegasjalisco .com/bestfilms/ 
brentsmusic .com/publicaction/ 
cadcam.tecnoceram .it/privatedvd/ 
carolslinks .com/fantastictube/ 
caruso89.netsons .org/bestaction/ 
celaneotest.fun-domain .com/uncensoredvids/ 
chaps.com .my/besttube/ 



chriscubed .com/cooldemonstration/ 
costafarilya .com/extrimetv/ 
cubman32.net .ua/extrimevids/ 
dalaa3.110mb .com/extrimeaction/ 
deathschildren .com/extrimeclips/ 
divya.com .au/megatube/ 
download.rmes .ru/uncensoredclip/ 
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dplive.webserwer .pl/besttv/ 
dramat.ilive .ro/extrimeclips/ 
filipicsr .biz/youtube/ 

flaviusrize .com/uncensoredclips/index.php 
gandhiinternational. in/extrimetv/ 
igorbrasil .com/freetv/ 
itprospecialists .com/cooldvd/ 
kawalkimp3.yoyo .pl/yourtv/ 
kuzmi4.llOmb .com/yourshow/index.php 
lemujeme .cz/myshow/ 
lepk.yoyo .pl/privatevids/ 


matt.freehost .pl/privatefilms/ 

nataly.org .ua/extrimedemonstration/ 

oceanacompany .com/bestvids/ 

oceanacompany .com/yourshow/ 

piuk-chow .dk/megafilms/ 

promo-door .ru/mymovie/ 

reprographic .co.in/fantasticaction/ 

reprographic .co.in/megaperformans/ 

rksrouby .cz/funnyaction/ 

sekurpaslanmaz .com/amaizingdvd/ 
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sekurpaslanmaz .com/bestfilms/ 
siam9 .com/bestfilms/ 
siam9 .com/coolclip/ 
siam9 .com/publicmovies/ 
skywebupload.freeweb7 .com/funnyclips/ 
srbijafest .org/privatefilm/ 
subject.freehost .pl/extrimefilms/ 


subject.freehost .pl/publicvids/ 
supreeme .com/megademonstration/ 
teatrall.dramat.ilive .ro/extrimeclips/ 
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tenminutemedia .com/funnyclip/ 
thegoodhand .com/yourmovie/ 
thelambda.php5 .cz/privatemovies/ 
tinyurl .com/l48o9v 

webxtreme.evolink .ro/uncensoredtube/ 
wiedzmin06.lua .pl/myvids/ 
xpertfill.com .mx/megafilm/ 
yarentextil .com/funnyvideo/ 
yasarturu.com .tr/yourvideo/ 
zoomtox .com/youtube/ 

Interestingly, I was able to take a peek at the statistics used 
exclusively for the Twitter campaign on two of the command 
and control/redirectors domains maintained by the gang. 
The results? Thankfully, pretty modest as you 

can see in the attached screenshots. 
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What all of these URLs have in common are the 
[10]Koobface command and control/redirector (r-d-cgpay- 

090709 .com/go/tw.php) domains that they point to, 
including several new additions prior to their original ones 
described in previous posts. 

Command and control domains sharing the same IPs - 
98.143.159.138; 78.110.175.15; 61.235.117.71; 

119.110.107.137: 

upr0306 .com - Email: bigvillyxxx@gmail.com 

red-dir-cgpay-0307 .com 
cgpay-re-230609 .com 
r-d-cgpay-090709 .com 
rjulythree .com 

trisem .com - Email: 2009polevandrey@mail.ru 
uprtrishest .com - Email: 2009polevandrey@mail.ru 

uthreejuly .com 
rd040609-cgpay .net 

newcounters .cn - Email: madarkipun@yandex.ru 

rd040609-cgpay .net 
r2606 .com 


er20090515 .com 


redir2404 .com 


wn20090504 .com - Email: bigvillyxxx@gmail.com 

redir0705 .com 
redir0805 .com 
er20090515 .com 
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On the these very same [ll]command and control domains, 
we can also also seen [12]Koobface worm's captcha7.dll 

component in action: 

rd040609-cgpay .net/cap/?a=get &i = l &v=7 
upr0306 .com/cap/?a=get &i = 2 &v=7 
rjulythree .com/cap/?a=get &i=3 &v=7 
uthreejuly .com/cap/?a=get &i=4 &v=7 
er20090515 .com/cap/?a=get &i=0 &v=7 

In this particular case, obtaining the CAPTCHA image from 

nua06032009 .biz/cap/temp - 218.93.202.50 Email: 
kfmnmkswrnkcxlgpfdxb68@gmail.com. 

A [13]complete list of command and control domains 
courtesy of FireEye, is once again emphasizing on the 

fact that the Koobface gang may be aware of each and 
every malicious traffic acquisition tactic there is, but has 


centralized their infrastructure making it easy to deal with 
it. 

Who's providing them with the hosting infrastructure? 

218.93.202.50 - China Beijing Chinanet Jiangsu Province 
Network 

98.143.159.138 - United States Los Angeles Oc3 Networks 
& Web Solutions Lie 

78.110.175.15 - Russian Federation Limit-surehost-ip/UK 
Dedicated Servers Limited 

61.235.117.71 - China Shenzhen China Railcom 
Guangdong Shenzhen Subbranch 

119.110.107.137 - Malaysia Kuala LumpurTm Net Sdn 
Bhd 

Compared to the money they make out of scareware, since 
they diversify on multiple revenue-generation 

fronts, they money they pay for the anti-abuse hosting looks 
like pocket change. 

Related posts: 

[14] Dissecting the Koobface Worm's December Campaign 

[15] Dissecting the Latest Koobface Facebook Campaign 

[16] The Koobface Gang Mixing Social Engineering Vectors 

Ukrainian "fan club" and the Koobface connection: 

[17] Dissecting a Swine Flu Black SEO Campaign 



[18] Massive Blackhat SEO Campaign Serving Scareware 

[19] From Ukrainian Blackhat SEO Gang With Love 

[20] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[22] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [23]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as oot.com/2QQ9/Q6/from-ukrainian- 
blackhat-seo- a an a -with 09.html 
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4. http://status.twitter.com/post/138789881/koobface- 
malware-attack 
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23. http://ddanchev.blo as oot.com/ 

390 


El 


4th SMS Ransomware Variant Offered for Sale (2009- 
07-16 18:48) 

Locking down an infected Windows-based host and 
demanding a premium rate SMS message for the unlock 
code 

([1]SMS Ransomware Source Code Now Offered for Sale; 
[2]New ransomware locks PCs, demands premium SMS for 

removal; [3]3rd SMS Ransomware Variant Offered for Sale), 
is slowly [4]becoming a trend, that despite its current 
geographical prevalence evident in Russia, it could easily 
become an international issue due to the [5]cost-effective 
localization services available on demand these days. 

Yet another SMS-based ransomware variant is offered for 
sale ( $10), making this the 3rd such variant avail¬ 
able for purchase during the past couple of months. The 
author appears to be a Moscow-based opportunist, clearly 
interested in making a quick buck and lacking any long¬ 
term ambitions - at least for the time being. Despite that the 
message and the visual interface can be changed on 
request, the default version is once again insisting that 
Microsoft locked down this copy of Windows because it 












detected it as pirated copy, and in order to unlock it the 
user has to send an SMS in order to receive the unlock code. 

What bothers me is not the potential "spread-ibility" of his 
campaigns that is if he turns into a user of his own code, but 
how easily and cost-effectively his customers can push the 
ransomware to a huge number of already 

infected malware hosts. 

This post has been reproduced from [6]Dancho Danchev's 
blog. 
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1. http://ddanchev.blo as DOt.com/20Q9/Q5/sms-ransomware- 
source-code-now-offered.html 

2. http://blo a s.zdnet.com/securit v/? p = 3197 

3. http://ddanchev.blo as pot.com/2Q09/Q5/3rd-sms- 
ransomware-vanant-offered-for.html 

4. http://ddanchev.blo as pot.com/2009/Q7/le a itimate- 
software-t v posauatted-in-sms.html 

5. http://ddanchev.blo as pot.com/20Q8/ll/localizin a- 
c vbercrime-cultural.html 

6. http://ddanchev.blo as pot.com/ 

392 


12 


From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts (2009-07-16 22:57) 






















Could a dysfunctional abuse department facilitate 
cybercrime? Appreciate my rhetoric with an emphasis on 
Layered Technologies, Inc. 

Exactly one month ago, [l]the Ukrainian gang that I've 
been extensively monitoring due to their apparent in¬ 
volvement in literally each and every malware campaign 
targeting Web 2.0 properties - that's of course next to 

[2] the Koobface connection in general - intensified their 

[3] automatic abuse of Twitter, Scribd and Linkedln using 
plain simple social engineering tactics. 
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Since the campaign seems to be ongoing, it's time to spill 
some coffee on their latest scareware domains, see how the 
campaign's quality degraded upon notifying the affected 
parties, and emphasize on the fact that since Layered 
Technologies, Inc. abuse department wasn't available for 
comment prior to this post, the Ukrainian "fan club" 

continues using their services. 

Bogus Twitter accounts serving scareware part of their 
campaign: 

twitter .com/carmenelectrapn 
twitter .com/LilKimUncensord 
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twitter .com/KimKardashianll 
twitter .com/KateWinsletNude 
twitter .com/DeniseRichardsK 
twitter .com/KendraWilkinsol 
twitter .com/CHristinaRicciN 
twitter .com/Shakira nude 
twitter .com/BritneySpearsll 
twitter .com/PamelaAndersonO 
twitter .com/kimkardashian3 
twitter .com/BritneySpearse 
twitter .com/LindsayLohannn 
twitter .com/KatieHolmesNud 
twitter .com/LilKimUncensord 
twitter .com/britneyspearst 
twitter .com/LindsayLohanee 
twitter .com/JenniferLovew 
twitter .com/AnnaFarisNnude 
twitter .com/MileyCyrusnud 
twitter .com/carmenelectrasx 
twitter .com/adulttrishstrat 



395 


£ 


As in previous campaign, their redirectors continue working 
- excluding oymomahon .com which is down - and 
serving newly typosquatted scareware domains. For 
instance showmealltube .com/fathulla/13.html 
(64.92.170.135; 216.32.83.110) which is exclusively used 
on all the bogus accounts redirects to myhealtharea 
.cn/in.cgi?14 

(64.92.170.135; 216.32.83.110), again Layered 
Technologies, Inc. 

The same goes for the second domain, delshikandco 
.com/paqi-video/30.html (216.32.83.104) Email: 

alexeyvas@safe-mail.net ([4]muItipie scareware domains 
registered under the same email) as well as [5]an- 

other redirector maintained by them used in previous 
campaign, ntlligent .info/tds/in.cgi (72.232.163.171) 
also both hosted at Layered Technologies, Inc.. 
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The new scareware domains used in the first redirection: 

nusecurityshields .com - 91.213.29.252 - [6]FakeAlert- 
WinwebSecurity.gen 

besecurepctrue .com 


wesecurepcs .com 


securityverpcs .com 
allsecuredpcshields .com 
myrealsecuritys .com 
realsecurityspot .com 
allentruesecurity .com 

The second redirection leads to thetubesmovie 
.com/xplaymovie.php?id=40012 - 216.240.143.7 - 
Email: 

queeziegl@gmail.com where onlinemovies.40012.exe 
([7]Trojan.Crypt.ZPACK.Gen) is served, which upon exe¬ 
cution phones back to myart-gallery .com/senm.php? 
data= (64.27.5.202) Email: jnthndnl@gmail.com; robert- 
art 

.com/senm.php?data= (66.199.229.229) Email: 
robesha@gmail.com; and superarthome 
.com/senm.php?data = 

(216.240.146.119) Email: chucjack@gmail.com. Yet another 
redirector at showmeall-tube-xx .com/xtube.htm - 

78.159.98.70 - Email: crashtestdanger@mail.ru attempts to 
download more scareware from showmeall-tube-xx 

.com/setup.exe - [8]Trojan:Win32/Winwebsec. 

Parked on 216.240.143.7 are also: 

go-go-tube.com - Email: consanch@gmail.com 

thetubesmovie.com - Email: queeziegl@gmail.com 
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tubessite.com - Email: roberkimb@gmail.com 
besttubetech.com - Email: tashcham@gmail.com 
supertubetop.com - Email: queeziegl@gmail.com 
yourtubetop.com - Email: tashcham@gmail.com 
greattubetop.com - Email: roberkimb@gmail.com 
f1lcorp.com 

my-tube-dot.com - Email: consanch@gmail.com 

The newly registered Scribd and Linkedln accounts also 
point to these very same domains. Bogus Scribd accounts 

approximately a thousand - participating in the campaign 

scribd .com/Eva Mendes %20naked 

scribd .com/Kim Kardashian %20sex %20tape 
%20free 

scribd .com/Nude %20wrestling 

scribd .com/KimKardashianSex %20Tape 

scribd .com/BritneySpears %20Sex %20Tape 

scribd .com/HollyMadison Naked 

scribd .com/Free %20Animal %20Sex %20Videos 

scribd.com/BritneySpearsCircus 


scribd .com/Emma %20Watson %20kissingsomeone 

scribd .com/Paris %20Hilton %20 %20sex %20tape 

scribd .com/Ellen %20degeneresgay 

scribd .com/Gallery %20of %20Lindsay Lohan 

scribd .com/Amy Smart %20nude 

scribd .com/Stacy Keibler %20in %20a %20bikini 
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scribd .com/Jennifer %20Aniston %20sexiestl 
scribd .com/HelenMirren %20nudity 
scribd .com/Vida _Guerra %20butt 
scribd .com/Paris %20Hilton %20in %20bed 
scribd .com/Paris %20Hilton %20sex %20video 
scribd .com/Paris %20Hilton %20 %20movie 
scribd .com/ParisHiltonnakedl 
scribd .com/Jessica %20Rabbitadult 
scribd .com/Maria Kanellis %20playboy 
scribd .com/Anna Nicole uncensored 
scribd .com/Kim + Kardashian %20sex %20video 
scribd .com/keeleyhazellsextape 


scribd .com/Britney-Spears-womanizer2 

scribd .com/BRITNEY %20SPEARS %20DESNUDA 
%201 

scribd.com/Age %20of %20EmmaWatson 

scribd .com/JenniferLopez %20desnuda 

scribd .com/BritneySpears %20comix 

scribd .com/MUJERES %20NEGRAS %20DESNUDAS 
%201 

scribd .com/John %20Cena's %20 %20dick 
scribd .com/Hilary %20Duff %20naked %201 
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scribd .com/MaribelGuardia %20desnuda 

scribd .com/Jessica %20Simpsonnude 

scribd .com/Amanda-Bynes-nip-slipl 

scribd .com/Tara-Reid-desnudal 

scribd .com/Jessica %20Albanude 

scribd .com/Mujeres %20famosas %20 %20desnudas 

scribd .com/AngelinaJolie %20Naked 

scribd .com/Lindsay Lohan %20naked 

scribd .com/Niurka Marcos %20desnuda 


scribd .com/FOTOS %20DE %20MARIBEL 
%20GUARDIA %20DESNUDA 

scribd .com/INGRID %20CORONADO %20DESNUDA 
%201 

scribd .com/NINEL %20CONDE %20DESNUDA1 
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scribd .com/Paris %20Hilton %20movie %201 

scribd .com/Free %20Kim %20Kardashian %20 
%20Sex %20 %20Tape 

scribd .com/Pamela %20anderson %20nude 

scribd .com/Vanessa-Williams-Penthouse-pictorial2 

scribd .com/Natalie %20Portman %20sunbathing 
%201 

scribd .com/Anne %20Hathaway %20naked %201 

scribd .com/Stacy Keibler %20nude 

scribd .com/Scarlett Johansson %20galleryx 
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Bogus Linkedln accounts participating in the campaign: 

linkedin .com/pub/anneliese-van-der-pol- 
nude/14/150/371 


linkedin .com/pub/disney-s-raven-symone- 
nude/14/150/604 

linkedin .com/pub/jennifer-love-hewitt/13/ab6/396 

linkedin .com/pub/free-nude-celebs/14/6b/65b 

linkedin .com/in/nudetubee 

linkedin .com/in/nudepics2 

linkedin .com/in/freenudecelebritiesl 

linkedin .com/in/nudecelebritiesl 

linkedin .com/in/nudephotosl 

linkedin .com/pub/nude-art/14/6b/6a 

The statistics from two of the bit.ly URLs showcase how the 
campaign scaled due to the number of bogus ac¬ 
counts, and they virtually disappeared upon notifying the 
affected parties which removed the accounts in less than a 
hour. The gang keeps making a point that I made a while 
ago - a single group can dominate the entire Web 2.0 

threatscape, automatically if they want to. 

This post has been reproduced from [9]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2009/Q6/from-ukraine- 
with-scareware-servin a .html 

2. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 
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Koobface - Come Out, Come Out, Wherever You Are 
(2009-07-22 11:09) 

UPDATE2: New binaries are hosted at web.reg 
.md/l/[l]pdrv.exe; web.reg .md/l/[2]pp.l0.exe and at 
web.reg 

.md/l/[3]f b.49.exe 

UPDATE: The Koobface gang is [4]upgrading the command 
and control infrastructure in response to the positive ROI out 
of the takedown activities. This of course doesn't mean that 
enough evidence on "who's who" behind Koobface and a 
huge percentage of the currently active malware campaigns 
targeting Web 2.0 properties hasn't been 

gathered already. 
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Especially now that it's apparent we know each other's 
names. A recent Koobface update includes the following 

message: (thanks to TrendMicro for pinging me) : 

l/l/e express our high gratitude to Dancho Danchev 
(http://ddanchev.blogspot.com) for the help in bug 
fixing, 

researches and documentation for our software. 

The ROI of several abuse notices during the weekend, quick 
response from [5]China's CERT which took care of 


61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web 
Solutions Lie abuse team which took care of the Koobface 
activity at 98.143.159.138 - cgpay-re-230609 .com still 
responds to the IP - looks pretty positive and managed to 
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increase the opportunity cost for the Koobface gang since it 
caused them some troubles during the weekend. 

With [6]Koobface worm's Twitter campaign currently in a 
stand by mode due to the publicity it attracted, as 

well as the fact that the central redirection points used in 
the campaign are down, let's assess the current Koobface 
hosting infrastructure, with an emphasis on [7]UKSERVERS- 
MNT (AS42831) which stopped responding to abuse 

notifications as of Sunday. 

How did the Koobface gang/fan club responded to the 
downtime anyway? By introducing several new domains, 
and 

parking them at 78.110.175.15 - [8]UKSERVERS-MNT 
(AS42831), whose abuse department remains unreachable 

ever since. 
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Following the first abuse notice sent to UKSERVERS-MNT the 
company temporarily closed the account (78.110.175.15) 
of the "customer", then brought it back online. Asked why, 
they responded that the "customer" claimed he's been 


compromised and that he needs to clean up the mess and 
secure the server. In reality that means " give us some time 
to smoothly update DNS records and migrate operations 
now that ail of our command and control locations are 
offline". 

Since they presumed I don't take lying personally, half an 
hour later I checked again and the Koobface com¬ 
mand and control servers were operational again. The 
company forwarded the responsibility to the customer and 

said they closed down the account. 
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However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked at the 
same IP, which remains active - zaebalinax .com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular 

zaebalinax 

.com/the/?pid=14010 which is redirecting to the Koobface 
botnet. Two more domains were also registered and parked 
there, ul5jul .com and umidsummer .com - Email: 
2009polevandrey@mail.ru which remain in stand by mode 
at least for the time being. 

Upon execution the Koobface binary phones back to 

upr0306 .com/achcheck.php; upr0306 
.com/ld/gen.php 

(78.110.175.15) and attempts to download 

upload.octopus-multimedia .be/l/pdrv.exe; 


upload.octopus- 


multimedia .be/l/pp.lO.exe. 

UKSERVERS-MNT (AS42831) is also known with its 
connections to gumblar.cn malware campaigns, as well as 

having hosted a domain (supernerd.org) part of a 

[9] Photobucket malvertising campaign. 

Related posts: 

[10] Dissecting Koobface Worm's Twitter Campaign 

[11] Dissecting the Koobface Worm's December Campaign 

[12] Dissecting the Latest Koobface Facebook Campaign 

[13] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [14]Dancho Danchev's 
blog. 
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8fdl8d973dabbfd51a997329a5c9eda3cblc2ac0fb92- 

12487 
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4. http://blo a .trendmicro.com/new-koobface-u oa rade- 
makes-it-takedown-oroof/ 

5. http://www.cert.or a .cn/en a lish_web/overview.htm 
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Koobface - Come Out, Come Out, Wherever You Are 
(2009-07-22 11:09) 

UPDATE2: New binaries are hosted at web.reg 
.md/l/[l]pdrv.exe; web.reg .md/l/[2]pp.l0.exe and at 
web.reg 

.md/l/[3]f b.49.exe, 

UPDATE: The Koobface gang is [4]upgrading the command 
and control infrastructure in response to the positive ROI out 
of the takedown activities. This of course doesn't mean that 
enough evidence on "who's who" behind Koobface and a 
huge percentage of the currently active malware campaigns 
targeting Web 2.0 properties hasn't been 

gathered already. 
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Especially now that it's apparent we know each other's 
names. A recent Koobface update includes the following 

message: (thanks to TrendMicro for pinging me) : 

l/l/ie express our high gratitude to Dancho Danchev 
(http://ddanchev.blogspot.com) for the help in bug 
fixing, 

researches and documentation for our software. 


The ROI of several abuse notices during the weekend, quick 
response from [5]China's CERT which took care of 

61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web 
Solutions Lie abuse team which took care of the Koobface 
activity at 98.143.159.138 - cgpay-re-230609 .com still 
responds to the IP - looks pretty positive and managed to 
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increase the opportunity cost for the Koobface gang since it 
caused them some troubles during the weekend. 

With [6]Koobface worm's Twitter campaign currently in a 
stand by mode due to the publicity it attracted, as 

well as the fact that the central redirection points used in 
the campaign are down, let's assess the current Koobface 
hosting infrastructure, with an emphasis on [7]UKSERVERS- 
MNT (AS42831) which stopped responding to abuse 

notifications as of Sunday. 

How did the Koobface gang/fan club responded to the 
downtime anyway? By introducing several new domains, 
and 

parking them at 78.110.175.15 - [8]UKSERVERS-MNT 
(AS42831), whose abuse department remains unreachable 

ever since. 
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Following the first abuse notice sent to UKSERVERS-MNT the 
company temporarily closed the account (78.110.175.15) 
of the "customer", then brought it back online. Asked why, 
they responded that the "customer" claimed he's been 
compromised and that he needs to clean up the mess and 
secure the server. In reality that means " give us some time 
to smoothly update DNS records and migrate operations 
now that ail of our command and control locations are 
offline". 

Since they presumed I don't take lying personally, half an 
hour later I checked again and the Koobface com¬ 
mand and control servers were operational again. The 
company forwarded the responsibility to the customer and 

said they closed down the account. 
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However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked at the 
same IP, which remains active - zaebalinax .com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular 

zaebalinax 

.com/the/?pid=14010 which is redirecting to the Koobface 
botnet. Two more domains were also registered and parked 
there, ul5jul .com and umidsummer .com - Email: 
2009polevandrey@mail.ru which remain in stand by mode 
at least for the time being. 

Upon execution the Koobface binary phones back to 

upr0306 .com/achcheck.php; upr0306 
.com/ld/gen.php 


(78.110.175.15) and attempts to download 

upload.octopus-multimedia .be/l/pdrv.exe; 

upload.octopus- 

multimedia .be/l/pp.lO.exe. 

UKSERVERS-MNT (AS42831) is also known with its 
connections to gumblar.cn malware campaigns, as well as 

having hosted a domain (supernerd.org) part of a 

[9] Photobucket malvertising campaign. 

Related posts: 

[10] Dissecting Koobface Worm's Twitter Campaign 

[11] Dissecting the Koobface Worm's December Campaign 

[12] Dissecting the Latest Koobface Facebook Campaign 

[13] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [14]Dancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/fd92d6bcd6322dld2794 

54flQacc99f30395c9825989a43a267a586bd000f5c2- 

12486 
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4. http://blo a .trendmicro.com/new-koobface-u pa rade- 
makes-it-takedown-proof/ 

5. http://www.cert.or a .cn/en a lish_web/overview.htm 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty Three (2009-07-27 17:59) 

Part twenty three of the diverse portfolio of fake security 
software series, will once again summarize the scareware 
domains currently in circulation, delivered through the usual 
channels - blackhat SEO, compromises of legitimate web 
sites, comment spam and bogus adult web sites, with an 
emphasis on a yet another bogus company acting as a 

front-end to an affiliate network - AK Network Commerce 
Ltd. 

Scareware remains the dominant monetization tactic 
applied by cybercriminals automatically abusing Web 2.0 

properties. 
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The latest scareware domains are as follows: 

scanyourcomputeronlinevl .com - 78.46.251.41; 
83.133.126.155; 91.212.107.5; 94.102.48.29; 78.46.251.41 
- Email: info@chinainindia.org.in 










promalwarescannerv2 .com - Email: 
info@researchcmr.com 

spywarefolderscannerv2 .com Email: 
willpan@glamoxcon.com 

antivirusscannervlO .com - Email: 
mohammed32@yahoo.com 

scanyourcomputeronlinevl .com - Email: 
info@chi nainindia.org. in 

folder-antivirus-scanvl .com - Email: 
info@duebamet.com 

personalfolderscanv2 .com - Email: 
hfbeauty@yahoo.com 

spywarefolderscannerv2 .com - Email: 
willpan@glamoxcon.com 

privatevirusscannerv2 .com - Email: 
hfbeauty@yahoo.com 

secure-antivirus-scanv3 .com - Email: 
info@duebamet.com 

bestfoldervirusscanv3 .com - Email: alfonso- 
li@sohun.com 

antispyware-scannerv3 .com - Email: 
willpan@glamoxcon.com 

Iiveantimalwarescannerv3 .com - Email: 
hongkong@campusparis.org 


onlinespywarescannerv3 .com - Email: Peng@pradac.cn 



onlineantivirusscanv4 .com - Email: Peng@pradac.cn 

onlineantispywarescanv6 .com - Email: 
czoao@hotmail.com 

antivirus-scannerv6 .com - Email: paul.smith@acdc.cn 

antivirusonlinescanv9 .com - Email: 
info@chinainindia.org.in 

antimalwarescannerv9 .com - Email: 
mohammed32@yahoo.com 
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antispywarescannerv9 .com - Email: 
mohammed32@yahoo.com 

bestcomputerscanv7 .com - Email: 
cgrenier@reclamation.com 

in5id .com - 67.212.71.196 - Email: getoony@gmail.com 
goscantune .com - Email: canrcnad@gmail.com 
in5ch .com - Email: getoony@gmail.com 
goscanback .com - Email: alcnafuch@gmail.com 
goscanlook .com - Email: chinrfi@gmail.com 
gotunescan .com - Email: canrcnad@gmail.com 
gofatescan .com - Email: alcnafuch@gmail.com 
gobackscan .com - Email: alcnafuch@gmail.com 


goparkscan .com - Email: canrcnad@gmail.com 
in5st .com - Email: getoony@gmail.com 
gagtemple .info - Email: tiermity@gmail.com 
strelyk .info - Email: tiermity@gmail.com 
mixsoul .info - Email: tiermity@gmail.com 
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loacher .info - Email: tiermity@gmail.com 

unvelir .info - Email: tiermity@gmail.com 

lendshaft .info - Email: tiermity@gmail.com 

goironscan .com - 209.44.126.152 - Email: 
aloxier@gmail.com 

metascan4 .com - Email: exmcon@gmail.com 
notescan4 .com - Email: exmcon@gmail.com 
genscan4 .com - Email: exmcon@gmail.com 
scanlist6 .com - Email: exmcon@gmail.com 
goscanpark .com - Email: exmcon@gmail.com 
gobackscan .com - Email: exmcon@gmail.com 
gomapscan .com - Email: exmcon@gmail.com 
scan4gen .com - Email: exmcon@gmail.com 


namearra .info - Email: stnorvel@gmail.com 
xtraroom .info - Email: stnorvel@gmail.com 
sundalet .info - Email: stnorvel@gmail.com 
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privacy-centre .org - 89.208.136.91 - Email: 
acapz@freebbmail.com 

prvacy-centre .org - Email: acapz@freebbmail.com 
privacy-centar .org - Email: acapz@freebbmail.com 
prvacy-centar .org - Email: acapz@freebbmail.com 
privacy-ceter .org - Email: acapz@freebbmail.com 
prvacy-ceter .org - Email: acapz@freebbmail.com 
privacy-center .org - Email: acapz@freebbmail.com 
prvacy-center .org - Email: acapz@freebbmail.com 
privacy-centor .org - Email: acapz@freebbmail.com 
privacy-centr .org - Email: acapz@freebbmail.com 
prvacy-centr .org - Email: acapz@freebbmail.com 
pcenter56 .com 

privacyupdate447 .com - Email: prv54@lycos.com 

pcenter57 .com 

personalonlinescanv3 .com - 78.46.251.41 - Email 
vms@hellofm.in 



antivirusfolderscanv5. com - Email: 
Bush.Mussar@yahoo.com 

antivirusfolderscannerv5 .com - Email: 
Bush.Mussar@yahoo.com 

privatevirusscannerv5 .com - Email: cs@pakoil.com.pk 

antivirusforcomputrerv5 .com - Email: 
Bush.Mussar@yahoo.com 

spywarefastscannerv6 .com - Email: cs@pakoil.com.pk 

antimalwarescanv7 .com - Email: 
Bush.Mussar@yahoo.com 

antimalwareproscannerv8 .com - Email: 
Bush.Mussar@yahoo.com 

antimalwareproscannerv9 .com - Email: 
Bush.Mussar@yahoo.com 

antivirusscannerv9 .com - Email: 
Bush.Mussar@yahoo.com 

advanedspywarescan .com - Email: 
xors678@freebbmail.com 

securedvirusscan .com - Email: adsff@freebbmail.com 

secured-virus-scanner .com - Email: 
adsff@freebbmail.com 

free-spyware-cleaner .com - 212.117.160.18 - Email: 
robertsimonkroon@gmail.com 

free-spyware-checker .org - Email: 
robertsimonkroon@gmail.com 



fast-spyware-cleaner .org - Email: 
robertsimonkroon@gmail.com 

clean-pc-now .org - Email: robertsimonkroon@gmail.com 


spyware-scaner .com - Email: 
robertsimonkroon@gmail.com 

free-spyware-cleaner .com - Email: 
robertsimonkroon@gmail.com 

free-tube-orgasm .net - Email: 
robertsimonkroon@gmail.com 

free-spyware-cleaner .net - Email: 
robertsimonkroon@gmail.com 

clean-pc-now .net - Email: robertsimonkroon@gmail.com 
spyware-killer .biz - Email: robertsimonkroon@gmail.com 
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protectionsystemlab .com - 89.149.254.174; 
91.212.198.36 

ez-scanner-online .com 

smart-antivirus-online .com 

uptodatesystem .com 

checks-files-now .com 

download-filez-now .us 

files-download-now .net 


check-files-now .net 


antispyware2009 .com - 75.125.241.58 

remover .org 

antispyware .com 

regsweep .com 

registryclear .com 

adwarebot .com 

cleanmalwarefree .com - 218.93.205.244 - Email: 
lvanMaltzev@gmail.com 

killlabs .com - Email: ad6@safe-mail.net 

cleanmalwarefast .com - Email: ad6@safe-mail.net 

cleanmalwareeasy .com - Email: ad6@safe-mail.net 
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adware-2010 .com -67.211.161.49 

adware-2009.comantispyware2013 .com - 

98.124.199.1; 98.124.198.1 

antispyware2012 .com 

securityscanweb .com - 209.44.126.22 - Email: 
Gerald.A.Flowers@trashymail.com 

securitytestavailable .com - 209.44.126.81 - Email: 
Roy.M.Tucker@pookmail.com 


liveantivirusinfov2 .com - 78.47.132.222; 78.47.172.69 - 
Email: cgrenier@reclamation.com 

antivirus-scannerv9 .com - Email: paul.smith@acdc.cn 

purchuaseonlinedefence .com - 78.47.91.154 - Email: 
jenny@allbestmarine.com.sg 

purchuaseliveprotection .com - Email: 
jenny@allbestmarine.com.sg 

windowssecurityinfo .com - 83.133.123.113 - Email: 
arziwl2@freebbmail.com 

antimalwarescanner-v2 .com - Email: 
tareen@yahoo.com 

maliciousbaseupdates .com - Email: freight@beds.com 

ieprotectionlist .com - Email: vanmullem@yahoo.com 

personalcleaner2009 .com - 88.208.19.4 - Email: 
personalcleaner2009.com@liveinternetmarketingltd.com 

ak-networkcommerce .com - Email: ak- 
networkcommerce.com@liveinternetmarketingltd.com 

pc-antimalwaresuite .com - Email: pc- 
antimalwaresuite.com@liveinternetmarketingltd.com 

basepayment .com - Email: 
basepayment.com@liveinternetmarketingltd.com 
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Sampled malware phones back to od32qjx6meqos 
.cn/ua.php, more phone back locations are also parked 
there: 



0ni9ols3feu60 .cn - 220.196.59.23 - Email: 
robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail.com 

7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 

kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 

q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 

rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 

tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 

4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 

kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 

hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: 
robertsimonkroon@gmail.com 

fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail.com 



7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 
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One of the latest front-ends to scareware affiliate networks is 
AK Network Commerce Ltd (ak-networkcommerce 

.com) : 

" Implementing latest anti-hacker technology based on 
expert and user reviews AK Network Commerce Ltd enables 
hacker-proof defense, blocks unauthorized access to your 
private information, and hides your identity Having 
combined latest features of cutting-edge privacy protection 
technologies our knowledgeable team designed products to 
easily and effectively fight perilous cyber attempts. 

Thorough selection and step-by-step application of 
elements and tools required for comprehensive protection 
of your personal data helped us achieve success and 
become industry leading representatives. We did our best to 
prove that the time has come to leave behind worries about 
private data theft. " 

The company is the very latest attempt of a bogus company 
to build legitimacy into their" latest anti-hacker 
technology". Meanwhile, the blacklisting , sample 
distribution, and shutting down the scareware domains not 
only undermines the effectiveness of their largely 
centralized malware campaigns, costs them missed revenue 
projections, but also, it increases the opportunity costs for 
the gang. 


Related posts: 


[1] A Diverse Portfolio of Fake Security Software - Part Twenty 
Two 

[2] A Diverse Portfolio of Fake Security Software - Part Twenty 
One 

[3] A Diverse Portfolio of Fake Security Software - Part Twenty 

[4] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 
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[5] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[6] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 

[7] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[8] A Diverse Portfolio of Fake Security Software - Part Fifteen 

[9] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[10] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[11] A Diverse Portfolio of Fake Security Software - Part 
Twelve 

[12] A Diverse Portfolio of Fake Security Software - Part 
Eleven 

[13] A Diverse Portfolio of Fake Security Software - Part Ten 



[14] A Diverse Portfolio of Fake Security Software - Part Nine 

[15] A Diverse Portfolio of Fake Security Software - Part Eight 

[16] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[17] A Diverse Portfolio of Fake Security Software - Part Six 

[18] A Diverse Portfolio of Fake Security Software - Part Five 

[19] A Diverse Portfolio of Fake Security Software - Part Four 

[20] A Diverse Portfolio of Fake Security Software - Part Three 

[21] A Diverse Portfolio of Fake Security Software - Part Two 

[22] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [23]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2QQ9/Q7/diverse-portfolio- 
of-fake-securitv.html 
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15. http://ddanchev.blo as pot.com/2QQ8/10/diverse- 
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5th SMS Ransomware Variant Offered for Sale (2009- 
07-29 13:17) 

11 Your system has been blocked because it is running a 
pirated copy of Windows. In order to unblock it, enter the 
activation code sent to you by SMS-ing the following 
number. " 

Demand and [l]emerging business models based on micro¬ 
payment ransom meet supply, with yet another 

SMS-based ransomware variant offered for sale ( $25). Just 
like in previous underground market propositions, this one 
comes with a value-added service in the form of managed 
undetected binaries on a daily basis for an extra $5 

for an undetected copy. It's worth pointing out that due to 
the customization offered, their original layouts and the 
error messages will look a lot different once their customers 
get hold of the ransomware. 




















Key features include: 

- protecting against repeated infection through Mutex 

- pops-up on the top of all windows 

- disables safe mode, as well as possible key combinations 
attempting to bypass the window 

- adds itself as a trusted executable/excluded one in 
Windows Firewall 
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- variety of non-intrusive auto-starting/executable injecting 
capabilities 

- Rotx encryption for the activation codes 

- ability to embedd more than one activation code 

- monitors and automatically blocks process names of tools 
that could allow removal 

- complete removal of the code from the system once the 
correct activation code is entered 

- zero detection rate of a sampled binary - of course the 
advertiser is biased and he didn't bother including reference 
to the service he used (Virustotal, NoVirusThanks.org etc.) 

Despite several isolated cases where the originally Russian- 
based ransomware is affecting international English- 
speaking users, the campaigns are primarily targeting 
Russian speaking users - at least for the time being until the 
malware authors or their customers start localizing it. This 
emerging micro-payment ransomware business model 



is the direct result of largely unregulated market segments 
allowing literally anyone to get hold of a premium and 
automatically managed number in order to facilitate it. 

Related posts: 

[2] 4th SMS Ransomware Variant Offered for Sale 

[3] 3rd SMS Ransomware Variant Offered for Sale 

[4] SMS Ransomware Source Code Now Offered for Sale 

[5] New ransomware locks PCs, demands premium SMS for 
removal 

This post has been reproduced from [6]Dancho Danchev's 
blog. 

1 . 

http://www.svmantec.com/business/securitv_resoonse/write 
up.is p?docid = 2 009-07242 2-2 049-99&tabid = 2 

2. http://ddanchev.blo as pot.com/20Q9/Q7/4th-sms- 
ransomware-variant-offered-for.html 

3. http://ddanchev.blo as pot.com/2Q09/Q5/3rd-sms- 
ransomware-variant-offered-for.html 

4. http://ddanchev.blo as pot.com/2009/Q5/sms-ransomware- 
SQurce-code-nQw-offered.html 

5. http://blo a s.zdnet.com/securit v/? p = 3197 

6. http://ddanchev.blo as pot.com/ 
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Social Engineering Driven Web Malware Exploitation 
Kit (2009-07-30 16:36) 

The [^standardization through [2]template-ization of bogus 
codec/flash player/video pages, taking place during the past 
two years, has exponentially increased the [3]efficiency 
levels of malware campaigns relying exclusively on 

[4]social engineering. 

Just like [5]phishing pages being commodity, these 
commodity spoofs of legitimate software/plugins relying on 
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"visual social engineering" represent a market segment by 
themselves, one that some cybercriminals have been 
attempting to monetize for a while. 

Case in point - their latest attempt to do so comes in the 
form of the first social engineering driven web malware 
exploitation kit. 

Despite that the kit's author has ripped off a well known 
exploits-serving malware kit's statistics interface, what's 
unique about this release is the fact that the exploit 
modules come in the form of " Missing Flash Player"', " 
Outdated Flash Player 1 ', " Missing Video Codec", " Outdated 
Video Codec", "Codec Required" modules. 

These very same modules represent the dominant social 
engineering attack vector on the Internet due to the quality 
of the spoofs and the end users' gullibility while self- 
infecting themselves. For the time being, the author 


appears to be an opportunist rather than someone 
interested in setting new benchmarks for standardization 
social engineering by using the efficiency and delivery 
methods offered by a web malware exploitation kit. 
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Interestingly, a huge number of fake codec serving web 
sites are already detecting the OS/Browser of the visitor, 
and serving [6]Mac OS X based malware or Windows based 
malware based on the detection. This fact, as well as the 
fact that visual spoofs of OS X like dialogs are also getting 
template-ized are not a coincidence - it's a signal for an 
efficient and social engineering driven malware delivery 
mechanism in the works. The development of the kit will be 
monitored and updates posted - if any. 

Meanwhile, the recent blackhat SEO campaign which 
attempted to hijack ' Harry Potter and the Half-Blood Prince' 

related traffic is a good example on how despite the 
magnitude of the campaign - hundreds of thousands of 
indexed and malware serving pages - due to the manual 
campaign management, its centralized nature makes it 
easier to 

shut down. 
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Upon clicking on a link, the end user was redirected to usa- 
top-news .info - 67.228.147.71 - Email: 


fullhdvid@gmail.com, then to world-news-scandals .com 
Email: wnscandals@gmail.com, and finally to 

tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 
- jOcqware@gmail.com where [7]the codec was served 

from exefreefiles .com - 95.211.8.20 - Email: 
caseOns@gmail.com. More coded serving domains are 
parked on the same IPs: 

216.240.143.7 

sunny-tube-world .com - Email: briashou@gmail.com 
the-blue-tube .com - Email: malccrome@gmail.com 
onlysteeltube.com - Email: briashou@gmail.com 
thecooltube .com - Email: malccrome@gmail.com 
etesttube .com - Email: katschezz@gmail.com 
thegrouttube .com - Email: katschezz@gmail.com 
fllcorp .com 
95.211.8.20 

exe-load-2009 .com - Email: robeshur@gmail.com 
exefiledata .com - Email: robeshur@gmail.com 
exereload .com - Email: robeshur@gmail.com 
431 

El 

load-exe-world .com - Email: robeshur@gmail.com 


cool-exe-file .com - Email: robeshur@gmail.com 

last-home-exe .com - Email: robeshur@gmail.com 

exefreefiles .com - Email: caseOns@gmail.com 

boardexefiles .com - Email: caseOns@gmail.com 

exeloadsite .com - Email: jOcqware@gmail.com 

The gang maintains another domain portfolio with pretty 
descriptive nature for phone back, direct fake codec serving 
purposes: 

agro-files-archive .com 
alkbbs-files .com 
all-tube-world .com 
best-light-search .com 
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besttubetech .com 
chamitron .com 
cheappharmaad .com 
dipexe .com 

downloadnativeexe .com 
ebooks-archive .org 
etesttube .com 


exedownloadfull .com 



exefiledata .com 


exe-paste .com 
exe-soft-development .com 
exe-xxx-file .com 
eyeexe .com 
go-exe-go .com 
greattubeamp .com 
green-tube-site .com 
hotexedownload .com 
hot-exe-load .com 
imagescopybetween .com 
isyouimageshere .com 
labsmedcom .com 
last-exe-portal .com 
lost-exe-site .com 
lyy-exe .com 
main-exe-home .com 
mchedlishvili .name 
metro-tube .net 
my-exe-load .com 



newfileexe .com 


protectionimage .com 
robo-exe .com 
rube-exe .com 
securetaxexe .com 
softportal-extrafiles .com 
softportal-files .com 
storeyourimagehere .com 
superOtube .com 
super-exe-home .com 
supertubetop .com 
sysreportl .com 
sysreport2 .com 
testtubefilms .com 
texasimages2009 .com 
the-blue-tube.com 
thecooltube .com 
thegrouttube .com 
thetubeamps .com 


thetubesmovie .com 



tiaexe .com 


tube-best-4free .com 
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tube-collection .com 
tvtesttube .com 
yourtubetop .com 

Who's behind these domains and the Harry Potter blackhat 
SEO campaign? But, "of course", it's the "[8]fan club" 

with the [9]Koobface connection, continuing to use [10]the 
same phone back locations that they've been using 

during [ll]the past couple of months - myart-gallery 
■ com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; 
robert-art .com/senm.php - 66.199.229.229 - Email: 

robesha@gmail.com; superarthome .com/senm.php - 

216.240.146.119 - Email: chucjack@gmail.com. 

This post has been reproduced from [12]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as DOt.com/2009/Q2/template-ization- 
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8. http://ddanchev.blo as pot.com/20Q9/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

9. http://ddanchev.blo as pot.com/20Q9/Q7/koobface-come- 
out-come-out-wherever-vou.html 

10. http://ddanchev.blo as pot.com/2QQ9/Q7/from-ukraine- 
with-bo a us-twitter.html 

11. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukrainian- 
blackhat-seo- a an a -with Q9.html 

12. http://ddanchev.blo as pot.com/ 
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Social Engineering Driven Web Malware Exploitation 
Kit (2009-07-30 16:36) 




































The [^standardization through [2]template-ization of bogus 
codec/flash player/video pages, taking place during the past 
two years, has exponentially increased the [3]efficiency 
levels of malware campaigns relying exclusively on 

[4]social engineering. 

Just like [5]phishing pages being commodity, these 
commodity spoofs of legitimate software/plugins relying on 
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"visual social engineering" represent a market segment by 
themselves, one that some cybercriminals have been 
attempting to monetize for a while. 

Case in point - their latest attempt to do so comes in the 
form of the first social engineering driven web malware 
exploitation kit. 

Despite that the kit's author has ripped off a well known 
exploits-serving malware kit's statistics interface, what's 
unique about this release is the fact that the exploit 
modules come in the form of " Missing Flash Player*', " 
Outdated Flash Player*', " Missing Video Codec", " Outdated 
Video Codec", "Codec Required" modules. 

These very same modules represent the dominant social 
engineering attack vector on the Internet due to the quality 
of the spoofs and the end users' gullibility while self- 
infecting themselves. For the time being, the author 
appears to be an opportunist rather than someone 
interested in setting new benchmarks for standardization 
social engineering by using the efficiency and delivery 
methods offered by a web malware exploitation kit. 
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Interestingly, a huge number of fake codec serving web 
sites are already detecting the OS/Browser of the visitor, 
and serving [6]Mac OS X based malware or Windows based 
malware based on the detection. This fact, as well as the 
fact that visual spoofs of OS X like dialogs are also getting 
template-ized are not a coincidence - it's a signal for an 
efficient and social engineering driven malware delivery 
mechanism in the works. The development of the kit will be 
monitored and updates posted - if any. 

Meanwhile, the recent blackhat SEO campaign which 
attempted to hijack ' Harry Potter and the Half-Blood Prince' 

related traffic is a good example on how despite the 
magnitude of the campaign - hundreds of thousands of 
indexed and malware serving pages - due to the manual 
campaign management, its centralized nature makes it 
easier to 

shut down. 
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Upon clicking on a link, the end user was redirected to usa- 
top-news .info - 67.228.147.71 - Email: 

fullhdvid@gmail.com, then to world-news-scandals .com 
Email: wnscandals@gmail.com, and finally to 

tubesbargain .com/xplay.php?id=40018 - 216.240.143.7 
- jOcqware@gmail.com where [7]the codec was served 


from exefreefiles .com - 95.211.8.20 - Email: 
caseOns@gmail.com. More coded serving domains are 
parked on the same IPs: 

216.240.143.7 

sunny-tube-world .com - Email: briashou@gmail.com 
the-blue-tube .com - Email: malccrome@gmail.com 
onlysteeltube.com - Email: briashou@gmail.com 
thecooltube .com - Email: malccrome@gmail.com 
etesttube .com - Email: katschezz@gmail.com 
thegrouttube .com - Email: katschezz@gmail.com 
fllcorp .com 
95.211.8.20 

exe-load-2009 .com - Email: robeshur@gmail.com 
exefiledata .com - Email: robeshur@gmail.com 
exereload .com - Email: robeshur@gmail.com 
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load-exe-world .com - Email: robeshur@gmail.com 
cool-exe-file .com - Email: robeshur@gmail.com 
last-home-exe .com - Email: robeshur@gmail.com 
exefreefiles .com - Email: caseOns@gmail.com 


boardexefiles .com - Email: caseOns@gmail.com 

exeloadsite .com - Email: jOcqware@gmail.com 

The gang maintains another domain portfolio with pretty 
descriptive nature for phone back, direct fake codec serving 
purposes: 

agro-files-archive .com 
alkbbs-files .com 
all-tube-world .com 
best-light-search .com 
besttubetech .com 
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chamitron .com 
cheappharmaad .com 
dipexe .com 

downloadnativeexe .com 
ebooks-archive .org 
etesttube .com 
exedownloadfull .com 
exefiledata .com 
exe-paste .com 
exe-soft-development .com 



exe-xxx-file .com 


eyeexe .com 
go-exe-go .com 
greattubeamp .com 
green-tube-site .com 
hotexedownload .com 
hot-exe-load .com 
imagescopybetween .com 
isyouimageshere .com 
labsmedcom .com 
last-exe-portal .com 
lost-exe-site .com 
lyy-exe .com 
main-exe-home .com 
mchedlishvili .name 
metro-tube .net 
my-exe-load .com 
newfileexe .com 
protectionimage .com 


robo-exe .com 



rube-exe .com 


securetaxexe .com 
sklproject .org 
softportal-extrafiles .com 
softportal-files .com 
storeyourimagehere .com 
superOtube .com 
super-exe-home .com 
supertubetop .com 
sysreportl .com 
sysreport2 .com 
testtubefilms .com 
texasimages2009 .com 
the-blue-tube.com 
thecooltube .com 
thegrouttube .com 
thetubeamps .com 
thetubesmovie .com 
tiaexe .com 


tube-best-4free .com 
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tube-collection .com 
tvtesttube .com 
yourtubetop .com 

Who's behind these domains and the Harry Potter blackhat 
SEO campaign? But, "of course", it's the "[8]fan club" 

with the [9]Koobface connection, continuing to use [10]the 
same phone back locations that they've been using 

during [ll]the past couple of months - myart-gallery 
■ com/senm.php - 64.27.5.202 - Email: jnthndnl@gmail.com; 
robert-art .com/senm.php - 66.199.229.229 - Email: 

robesha@gmail.com; superarthome .com/senm.php - 

216.240.146.119 - Email: chucjack@gmail.com. 
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Summarizing Zero Day's Posts for July (2009-08-03 
17:02) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for July. 


























You can also go through previous summaries for [2]June, 
[3]May, [4]April, [5]March f [6]February, [7]January, 

[8]December, [9]November, [10]October, [ll]September, 
[12]August and [13]July, as well as subscribe to my 

[14]personal RSS feed or [15]Zero Day's main feed. 

Notable articles include - [16]Manchester City Council pays 
$2.4m in Conficker clean up costs; [17]Transmit- 

ter.C mobile malware spreading in the wild and [18]Does 
free antivirus offer a false feeling of security? 

01. [19]Manchester City Council pays $2.4m in Conficker 
clean up costs 

02. [20]EyeWonder malware incident affects popular web 
sites 
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03. [21]Koobface worm joins the Twittersphere 

04. [22]Transmitter.C mobile malware spreading in the wild 

05. [23]lmageShack hacked by anti-full disclosure 
movement 

06. [24]Does free antivirus offer a false feeling of security? 

07. [25]Remote code execution exploit for Firefox 3.5 in the 
wild 

08. [26]Adobe ships insecure version of Reader from official 
site 



09. [27]The future of mobile malware - digitally signed by 
Symbian? 

10. [28]419 scammers using Dilbert.com 

11. [29]Spammers go multilingual, use automatic 
translation services 

This post has been reproduced from [30]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/20Q9/Q7/summarizin a- 
zero-da vs- posts-for- i une.html 

3. http://ddanchev.blo as pot.com/2009/Q6/summarizin a- 
zero-da vs- posts-for-mav.html 

4. http://ddanchev.blo as pot.com/2009/Q5/summarizin a- 
zero-da vs- POSts-for-april.html 

5. http://ddanchev.blo as pot.com/2009/Q3/summarizin a- 
zero-da vs- posts-for-march.html 

6. http://ddanchev.blo as pot.com/2Q09/Q3/summarizin a- 
zero-da vs- posts-for.html 

7. http://ddanchev.blo as pot.com/2009/Q2/summarizin a- 
zero-da vs- posts-for- i anuarv.html 

8. http://ddanchev.blo as pot.com/20Q9/01/summarizin a- 
zero-da vs- posts-for.html 

9. http://ddanchev.blo as pot.com/20Q8/12/summarizin a- 
zero-da vs- posts-for.html 









































10. http://ddanchev.blo as pot.com/20Q8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

11. http://ddanchev.blo as pot.com/20Q8/10/summarizin a- 
zero-da vs- posts-for.html 

12. http://ddanchev.blo as pot.com/2008/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

13. http://ddanchev.blo as pot.com/2008/Q8/summarizin a- 
zero-da vs- ppsts-foN ul v.html 

14. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=Q&s=Q&o=l&mode=rss 

15. http://feeds.feedburner.com/zdnet/securit v 

16. http://blo a s.zdnet.com/securit v/? p=3690 

17. http://blo a s.zdnet.com/securi t v/? p=3713 

18. httP://blo a s.zdnet.com/securit v/? p=3733 

19. http://blo a s.zdnet.com/securit v/? p=3690 

20. httP://blo a s.zdnet.com/securit v/? p=3694 

21. http://blo a s.zdnet.com/securi t v/? p=3706 

22. httP://blo a s.zdnet.com/securit v/? p=3713 

23. http://blo a s.zdnet.com/securit v/? p=3725 

24. httP://blo a s.zdnet.com/securit v/? p=3733 

25. http://blo a s.zdnet.com/securit v/? p=3743 

26. httP://blo a s.zdnet.com/securit v/? p=3764 


























































27. httP://blo a s.zdnet.com/securit v/? p=3781 

28. http://blo a s.zdnet.com/securit v/? p=3809 

29. httP://blo a s.zdnet.com/securit v/? p=3813 

30. http://ddanchev.blo as pot.com/ 

444 


£ 


Managed Polymorphic Script Obfuscation Services 
(2009-08-04 19:32) 

Cybecriminals understand the value of quality assurance, 
and have been actively running business models on the top 
of it for [l]the past two years. 

From the [2]multiple offline antivirus scanners using pirated 
software, the [3]online detection rate checking 

services allowing scheduled URL scan and notification upon 
detection by antivirus vendors, to the underground 

alternatives of VirusTotal in the form of [4]multiple firewalls 
bypass verification checks - cybercriminals are actively 
benchmarking and optimizing their releases before 
launching yet another campaign. 
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A newly launched service aims to port a universal managed 
malware feature on the web - the polymorphic 

[5] obfuscation of malicious scripts in an attempt to increase 

[6] the lifecycle of a particular campaign. 













Interestingly, due to the obvious software piracy within the 
cybercrime ecosystem which allowed ^propri¬ 
etary malware tools to leak [8]in the wild, the service is 
using a particular malware kit's javascript obfuscation 
routines and is running a business model on it. 
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For the time being, it relies on three obfuscation algorithms, 

HTMLCryptor olnly - used 56 times, TextUnescape - 

used 109 times, and PolyLite - already used 177 times. The 
DIY obfuscation service, also checks and notifies the 
cybercriminal over ICQ in cases when his IPs and domain 
names have been blacklisted by Google's Safebrowsing, as 
well as Spamhaus, and more checks against public malware 
domain/IP databases are on the developer's to-do list. 
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The price? $20 for monthly access and $5 for weekly. 

Despite the fact that the service is attempting to monetize a 
commodity feature available to cybecriminals through the 
managed updates that come with the purchase of a 

proprietary web malware exploitation kit, it's not a fad since 
it fills in the DIY niche where the variety of the algorithms 
offered and their actual quality will either spell the doom or 
the rise of the service. 
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blog. 
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Movement on the Koobface Front (2009-08-04 21:10) 

Now that the [l]Koobface gang is no longer expressing its 
[2]gratitude for the takedown of its command and 

control servers, the group has put its contingency planning 
in action thanks to the on purposely slow reaction of 












































UKSERVERS-MNTs ([3]78.110.175.15) abuse department. 

Next to the regular updates (web.reg 
.md/l/[4]websrvx2.exe; web.reg.md/1/ [5]prx.exe), the 
group introduced two new domains and started taking 
advantage of two more IPs for its main command and control 
server. upr0306 .com now responds to: 

[6] 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd 

[7] 78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated 
Servers Limited UK Dedicated Servers 

[8] 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP 
network Chinal69 Guangzhou MAN 

and that includes the two new domains introduced - pam- 
220709 .com; ram-220709 .com, with ram-220709 

.com/go/?pid=30909 &type=videxpgo.php?sid=4 
&sref= redirecting to the [9]Koobface botnet. 

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) 
was also used in the blackhat SEO campaigns from 
June/July, with [10]warwork .info and [ll]tangoing .info 
parked there. 
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Related posts: 

[12] Koobface - Come Out, Come Out, Wherever You Are 

[13] Dissecting Koobface Worm's Twitter Campaign 

[14] Dissecting the Koobface Worm's December Campaign 

[15] Dissecting the Latest Koobface Facebook Campaign 



[16] The Koobface Gang Mixing Social Engineering Vectors 
Ukrainian "fan club" and the Koobface connection: 

[17] Dissecting a Swine Flu Black SEO Campaign 

[18] Massive Blackhat SEO Campaign Serving Scareware 

[19] From Ukrainian Blackhat SEO Gang With Love 

[20] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[22] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[23] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 
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Movement on the Koobface Front (2009-08-04 21:10) 


Now that the [l]Koobface gang is no longer expressing its 
[2]gratitude for the takedown of its command and 

control servers, the group has put its contingency planning 
in action thanks to the on purposely slow reaction of 
UKSERVERS-MNTs ([3]78.110.175.15) abuse department. 

Next to the regular updates (web.reg 
.md/l/[4]websrvx2.exe; web.reg.md/1/ [5]prx.exe), the 
group introduced two new domains and started taking 
advantage of two more IPs for its main command and control 
server. upr0306 .com now responds to: 

[6] 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd 

[7] 78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated 
Servers Limited UK Dedicated Servers 

[8] 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP 
network Chinal69 Guangzhou MAN 

and that includes the two new domains introduced - pam- 
220709 .com; ram-220709 .com, with ram-220709 

.com/go/?pid=30909 &type=videxpgo.php?sid=4 
&sref= redirecting to the [9]Koobface botnet. 

Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) 
was also used in the blackhat SEO campaigns from 
June/July, with [10]warwork .info and [ll]tangoing .info 
parked there. 
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[22] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 
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Scareware Template Localized to Arabic (2009-08-05 
22:07) 

A "new tactic" is supposedly being used as a [l]Blue Screen 
of Death scareware template with a single missing fact 

"for the record" - the template is old, I came across it on 
[2]June 17th, with Marshal8e6 featuring it even earlier on 
the [3] 12th of June. 

What's new on the template front in respect to [4]scareware 
is what will inevitably start taking place across 

all the market segments within the underground economy in 
the long term - [5]market segmentation and localization, 
namely, translating the malware/spam/phishing templates 
to the native language of the prospective victims. 
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A decent example is the first ever template of the popular 
"My Computer Online Scan" fake scanning screen localized 
to Arabic - scan-online .co.cc/arabic.php 
(67.222.148.26). 

The last time [6]localization of fake security software was 
actively taking place was in April, 2008, and the 








campaigners back then also localized the domain names 
next to the actual content. 

This post has been reproduced from [7]Dancho Danchev's 
blog. 

1. http://sunbeltblo a .blo as pot.com/2QQ9/Q7/new-ro a ue- 
tactic-blue-screen-of.html 

2. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukraine- 
with-scareware-servin a .html 

3. http://www.marshal8e6.com/trace/i/Scareware- 
Twitters . trace.10Q4%7E.as p 

4. http://ddanchev.blo as pot.com/2009/07/diverse-portfoliQ- 
of-fake-securitv 27.html 

5 . httP://blo a s.zdnet.com/securit v/? p = 3813 

6. http://ddanchev.blo as pot.com/2QQ8/04/localized-fake- 
securitv-software.html 

7. http://ddanchev.blo as pot.com/ 
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Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware (2009-08-06 21:29) 

During the past 24 hours, a [l]blackhat SEO campaign has 
been hijacking U.S Federal Forms related keywords in an 
attempt to serve scareware. 

What's particularly interesting about the campaign is that 
the Ukrainian fan club behind it - you didn't even 



























think for a second that there's no connection with their 
previous campaigns, did you? - are using basic 
segmentation principles since the tax form keywords 
poisoning is attempting to hijack U.S traffic. Evasive 
practices are also in place through the usual http referrer 
check, which would only serve the scareware if the visitor is 
coming from Google.com, if not a 404 error message will 
appear. 

Upon clicking on the link, the user is redirected through a 
centralized location responsible for managing the 

traffic from the thousands of subdomains/keywords used - 
honda-recycle .cn/go.php?id = 2017 &key=cbafb5cb2 

&p = l - 83.133.123.113 Email: accabj@cn.accaglobal.com. 
Parked on the same IP are also related malware/scareware 
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domains: 

winsoftwareupdatev2 .com - Email: 
webmaster@kaity.or.kr 

much-in-love .com - Email: krebikim@kanmail.net 

i-dont-care-much .com - Email: krebikim@kanmail.net 

malwareurlblock .com - Email: Qinrui971@hotmail.com 

bennysaintscathedral .com - Email: 
gayaomila@yahoo.com 

browsersecurityinfo .com - Email: visor@elcomtech.com 


windowssecurityinfo .com - Email: 
arziwl2@freebbmail.com 

ringtone-radio .com - Email: bobbyer@iofc.org 

events-team-manager .com - Email: 
krebikim@kanmail.net 

lworldupdatesserver .com - Email: 
tapias.andres@hdtvspain.org 

discovernewchina .cn - Email: leijun.ma@unifem.org 

rollerskatesadvise .cn - Email: 
info@chinaeuropaforum.net 

allfootballmanager .cn - Email: 
info@chinaeuropaforum.net 

hardwarefactories .cn - Email: leijun.ma@unifem.org 

besthockeyteams .cn - Email: 
info@chinaeuropaforum.net 

gowildtours .cn - Email: leijun.ma@unifem.org 
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The malicious domains used - with two exceptions - are all 
parked at AltusHost Inc./ALTUSHOST-NET. Here's the 

complete list: 

tebdigasbi .com - 91.214.44.205 - Email: 
martin94304@yahoo.com 


kraijfaw .com - 91.214.44.240 - Email: 
argantael31869@msn.com 

reychohica .com - 91.214.44.209 - Email: 
martin94304@yahoo.com 

fequervo .com - 91.214.44.239 - Email: 
orla53111@hotmail.com 

ukaszohat .com - 91.214.44.205 - Email: 
argantael31869@msn.com 

buwrynko .com - 91.214.44.204 - Email: 
keallach84256@yahoo.com 

fetholye .com - 91.214.44.208 - Email: 
martin94304@yahoo.com 

pasbirrada .com - 91.214.44.204 - Email: 
martin94304@yahoo.com 

dynodns.net - legitimate 

thebbs.org - legitimate 
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The people behind the campaign have also taken 
contingency planning in mind since [2]the scareware 
domain 

[3]portfolio is parked on five different IPs - no-spyware- 
thanks .com - 94.102.48.29; 94.102.51.26; 
188.40.61.236; 83.133.126.155; 91.212.107.5 Email: 
Paul.Saydak@lovellis.com. The complete list: 
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fast-scan-your-pcv3 .com - Email: info@valeros.com 

basicsystemscannerv3 .com - Email: 
changhong@corpdefence.cn 

antivirus-quickscanv5 .com - Email: 
dianal982@yahoo.com 

basicsystemscannerv6 .com - Email: 
changhong@corpdefence.cn 

basicsystemscannerv8 .com - Email: 
changhong@corpdefence.cn 

privatevirusscannerv8 .com - Email: 
info@rasystems.com 

spywarefastscannerv9 .com - Email: 
info@rasystems.com 

online-pro-antivirus-scan .com - Email: 
findz@freebbmail.com 

onlineproscan .com - Email: addworld@freebbmail.com 

onlineproantivirusscan .com - Email: 
addworld@freebbmail.com 

online-pro-scanner .com - Email: 
addworld@freebbmail.com 

basicsystemscanner .com - Email: 
changhong@corpdefence.cn 


onlineproantivirusscanner .com - Email: 
findz@freebbmail.com 

iwantsweepviruses .com - Email: leesten@fedexnow.com 
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Two sampled scareware samples during the past 24 hours 
phone back to goldmine-sachs .com (Goldman Sachs 

typosquatting) - 83.133.122.211; 89.47.237.52 - Email: 
rodriguez.dallas@romehotels.com and to june-crossover 

.com - 83.133.123.109 - Email: doru@sattenis.com. In 
regard to [4]89.47.237.52, the "fan club" used it to [5]host 
scareware in theirjune's campaigns. 

AltusHost Inc./ALTUSHOST-NET is expected to take action 
shortly. 

This post has been reproduced from [6]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p = 3962 

2 . 

http://www.virustotal.com/analisis/7e8cd272e83020c63f5fd 

c087fcc03f23c3690fbc66ef9e2c5blQ320de0d2 22 5-12495 

11343 

3. 

http://www.virustotal.com/analisis/8cdb3d69147640c82c8b 

1657ba90c5da3ecblee0eec5d6fc6ec23c07953f6f6c-12495 










69677 
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4. http://ddanchev.blo as pot.com/2009/06/diverse-Dortfolio- 
of-fake-securitv.html 

5. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

6. http://ddanchev.blo as pot.com/ 
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U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding (2009-08-10 18:53) 

UPDATE2: New [l]scareware domain is in rotation - 
antispywarelivescanv5 .com -83.133.123.174; 
83.133.126.155; 91.212.107.5; 94.102.48.29; 
94.102.51.26; 188.40.61.236 - Email: 
sales.in@bauhmerhhs.com. Redirection takes 

place through consensualart .cn - 78.46.201.89 - Email: 
shanghaihuny@yahoo.com. 

UPDATE: Four new domains have been introduced, again 
using the services of [2]AltusHost Inc. (AS44042): 

thwovretgi .com - 91.214.44.239 - Email: 
joby47619@msn.com 

hernewdy .com - 91.214.44.152 - Email: 
jacub26887@lycos.com 














shtifobpy .com - 91.214.44.210 - Email: 
hiraldol3686@hotma il.com 

vodcotha .com - 91.214.44.203 - Email: 
jamarcus59884@yahoo.com 

The redirection takes place through mywatermakrs .cn - 
78.46.201.89 - Email: shanghaihuny@yahoo.com 

In response to the takedown of the [3]blackhat SEO domains 
used in the campaign dissected lat week, the group 

has responded by introducing new domains next to new 
redirectors and most interestingly, has started using 

compromised/mis-configured legitimate sites in an attempt 
to increase the lifecycle of the campaign by making it 462 
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takedown-proof. 

New blackhat SEO domains again using AS44042 ROOT-AS 
root eSolutions/ALTUSHOST-NET/AltusHost Inc hosting 

services: 

fifiopod .com - 91.214.44.204 - Email: 
florenzaluwemba@gmail.com 

trodlocho .com - 91.214.44.204 - Email: 
alie57575@lycos.com 

ickgetaph .com - 91.214.44.209 - Email: 
alie57575@lycos.com 

igecanneg .com - 91.214.44.205 - Email: 
baxterl8314@yahoo.com 


somveots .com - 91.214.44.203 - Email: 
fneda24482@msn.com 

memodreydi .com - 91.214.44.240 - Email: 
frieda24482@msn.com 

jejnahob .com - 91.214.44.206 - Email: 
alie57575@lycos.com 

nuwofteuz .com - 91.214.44.206 - Email: 
frieda24482@msn.com 

hyhoppeo .com - 91.214.44.239 - Email: 
jamarcus59884@yahoo.com 

egnegvufvu .com - 91.214.44.239 - Email: 
ehetere29006@yahoo.com 

lauzpeog .com - 91.214.44.208 - Email: 
ehetere29006@yahoo.com 

sniozeanvo .com - 91.214.44.239 - Email: 
ehetere29006@yahoo.com 

hebmipenn .com - 91.214.44.207 - Email: 
adanne43906@rocketmail.com 

The cybercriminals are also attempting to use a well proven 
tactic - occupying as many search engine results as possible 
for a particular hijacked word by using identical blackhat 
SEO junk content at multiple domains. A similar attempt 
was successfully executed in [4]January, 2009's search 
results poisoning campaign at Google Video, where the first 
ten results for a particular keyword were all malicious in 
their nature. 
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The compromised/misconfigured legitimate sites used in the 
campaign are serving dynamic javascript obfuscations. 

Here's a list of ones currently in use: 

ali.zaher.lOlmain .com 
averder.cwsurf .de 
beaver-cub-scout.co .uk 
bebbinbears.co .uk 
britishbaits .com 
cancerselfhelp.org .uk 
carolineengland.co .uk 
casanickel.co .uk 
catspro-northants.org .uk 
ceiec.co .uk 

cheritontennisclub.co .uk 
childrenofthedrone .net 
chirnside.org .uk 
chris-hillman .com 
chris-hillman-photography.co .uk 
christine-pearson .com 


cicatrixonline.co .uk 


cinta.co .uk 
classic-pizza.co .uk 
crewshillgolfclub.co .uk 
cs-photo.co .uk 
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dak.crepOl.linux-site .net 
darkhorsegraphics.co .uk 
divagoddess.co .uk 
fet.jujas.myftpsite .net 
tferh.mi-website .es 

The campaign continues switching between different 
redirectors parked at 83.133.123.113 for instance: 

rondo-trips .cn 

gazsnippets .cn 

besthockeyteams .cn 

allfootballmanager .cn 

rollerskatesadvise .cn 

honda-recycle .cn - used in [5]the previous campaig 


nothern-ireland .cn 



discovernewchina .cn 
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An updated portfolio of sc a re ware/fake security software, 
parked at 94.102.51.26; 188.40.61.236; 83.133.126.155; 
91.212.107.5; 94.102.48.29 has been introduced: 

bestpersonalprotectionv2 .com 

onlinesecurescannerv3 .com 

basicsystemscannerv3 .com 

onlinebestscannerv3 .com 

basicsystemscannerv6 .com 

bestpersonalprotectionv7 .com 

basicsystemscannerv8 .com 

thankyouforscan .com 

onlinepersonalscanner .com 

basicsystemscanner .com 

onlineproantivirusscanner .com 

personalantivirusprotection .com 

internetantivirusscanner .com 

govirusscanner .com 
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iwantsweepviruses .com 
personalfoldertest .com 

[6]Sampled scareware once again phones back to the 
thebigben .cn - Email: chu-thi-huong@giang.com and 
june-crossover .com - 78.46.201.90 Email: 
doru@sattenis.com, with more scareware parked there - 

purchuase-premium-software .com - Email: 
nagappan.krishnan@persons.us; livepaymentssystem 
.com - Email: mikel2haro@yahoo.com; 
secure.livepaymentssystem .com - Email: 
mikel2haro@yahoo.com; purchuasepremiumprotection 
.com - Email: Malcolm@partypants.com. 

Evasion techniques are in again in place, however, this time 
they end up in a [7]Russian Business Network deja 

vu moment from 2008. In March, 2008, ZDNet Asia and 
TorrentReactor followed by a large number of other high 

profile, high pagerank sites started activing as 
intermediaries to scareware campaigns, among the first 
such abuse of legitimate sites for scareware serving 
purposes. 


The compromised/mis-configured web sites participating in 
this latest blackhat SEO campaign are surprisingly 

redirecting to a-n-d-the.com /wtr/router.php - 

95.168.177.35 - Email: bulk@spam.lv - AS28753 
NETDIRECT AS 
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NETDIRECT Frankfurt, DE if the http referrer condition isn't 
met. This very same domain - back then parked at 
INTERCAGE-NETWORK-GROUP2 - was also used in the same 
fashion in March, 2008's [8]massive blackhat SEO 

campaigns serving scareware. 

This post has been reproduced from [9]Dancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/72bQ867470ca6312e0ae 

fa87c4e!6e2c44alc8d3c47d617ba4f09e73a9dbddbb- 

12499 

92911 

2. http://altushost.com/ 

3. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
campai a n-hi i acks-us.html 

4. http://ddanchev.blo as pot.com/20Q9/01/poisoned-search- 
a ueries-at- a oo a le-video.html 

5. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
campai a n-hi i acks-us.html 






















6 . 


http://www.virustotal.com/analisis/bd7cl35a7657dbb48924 

fl20e8145d5115ae815bb6f52061Q0e36184ecl32df8- 

12498 

65192 

7. http://ddanchev.blo as pot.com/2QQ8/03/zdnet-asia-and- 
torrentreactor-iframe-ed.html 


8. http://ddanchev.blo as oot.com/2QQ8/Q3/zdnet-asia-and- 
torrentreactor-iframe-ed.html 

9. http://ddanchev.blo as oot.com/ 

468 


£ 


Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign (2009-08-18 17:35) 

AltusHost Inc, the company whose services were exclusively 
used in the [l]blackhat SEO campaign using [2]U.S 

Federal Forms theme for scareware service purposes, has 
finally responded to the abuse notifications sent seven days 
ago stating that" the sites have been terminated ". Such a 
slow response once again proves that dysfunctional abuse 
departments increase the lifecycle of a 
malware/spam/phishing campaign by not taking it down 
when it's 

most actively gaining momentum. 

(For historical OSINT research, the following domains not 
previously listed were in circulating during the past week - 














thwovretgi .com - 91.214.44.239 - Email: 
joby47619@msn.com; shtifobpy .com - 91.214.44.210 - 
Email: hiraldol3686@hotmail.com; vodcotha .com - 
91.214.44.203 - Email: jamarcus59884@yahoo.com; 

stromiko .com 

- Email: hyacinthiemccolman@gmail.com; ceslyemsof 
.com - 91.214.44.205 - Email: brisco68781@lycos.com; 

ejeifyevy .com - 91.214.44.208 - Email: 
brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - 
Email: khristal2110@hotmail.com ) 
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How did the cybercriminals respond? By proving that this 
blackhat SEO campaign has been well planed and 

coordinate a long time before it was executed in the wild. 
For the time being, it relies on a combination of legitimate 
U.K based sites, the result of a evident compromise of 
[3]Web Hosting Mania due to the fact that all the affected 
legitimate sites are hosted there, a growing portfolio of .cc 
tld domains, automatic abuse of free services such as 
myftpsite.net; dns2go.com; dynodns.net; thebbs.org, 
and systematic pushing of new scareware 
variants/redirector and scareware domains, which explains 
the low generic detection rate of all the samples obtained. 

Moreover, not only did the blackhat SEO themes expanding 
in the typical randomly generated junk that has naturally 
been crawled by public search engines, but also, according 
to publicly obtainable statistics, millions of users 
(collectively) have already visited the landing sites, with 


42.80 % of the referring site for a particular domain coming 
from thebbs.org and 31.97 % from Google - their tactics 
are actively hijacking millions of users already. 
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Let's dissect the latest developments in the ongoing 
blackhat SEO campaign, list the participating 
scareware/blackhat SEO/redirection domains, the various 
monetization tactics going beyond scareware, as well as 
discuss some of the innovations used in the javascript 
obfuscation which makes it virtually impossible for a crawler 
to detect that the site is malicious. 

Key summary points: 

• U.K based hosting provider Web Mania Hosting appears to 
be compromised due to the fact that all the abused 

legitimate sites are hosted there 

• the redirection and scareware domain/binary are updated 
two times during 24 hours period of time 

• [4]the [5]scareware [6]has a [7]very [8]low [9]generic 
[lOjdetection [lljrate [12]due [13]to their [14]persistence 
in [15]updating it 

• all the scareware samples continue phoning back to 
several domains parked at 78.46.201.90 

• the cybercriminals have introduced multiple monetization 
tactics through pay-per-click malware-friendly search 
engines 


• a central redirection point (a-n-d-the 
.com/wtr/router.php) used in this campaign was used by 
the 

[16]RBN/customer of the RBN in massive iFrame injection 
attacks abusing input validation flaws within high 

profile sites over an year ago 

• sampled 
scareware 
adds 

the 

following 

registry 

entry 

[HKEY 

LOCAL 

_MA- 

CHINE\SOFTWARE\6A36EA 6E11EAAECDF5E540D 
EF2149079] plxxh = "Dujaq!! " - DujaqM 

means "Bl*w 

me!!" 

• the blackhat SEO gang is using a unique javascript 
obfuscation which I originally stumbled upon a couple 



of months ago while assessing another blackhat SEO 
courtesy of the [17]Ukrainian "fan club", the one with the 
Koobface connection. It relies on dynamically generated 
code spoofing go.live.com and rds.yahoo.com random 
URLs for evasion purposes. The only vendor that detects it is 
McAfee-GW-Edition as 

[18]Heuristic.BehavesLike.JS.CodeUnfolding.A 
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Compromised legitimate domains at [19]Web Hosting Mania 
currently in circulation: 

ladydestiny .com 

marchbrook.co .uk 

mgwooldridge.co .uk 

midfleet .com 

mikedz.co .uk 

millypeds.co .uk 

mitchameditorial.co .uk 

moddeydhoomcc.co .uk 

monkeyfist.co .uk 

morita.co .uk 

mosoul.co .uk 


mrbuzzhard.co .uk 


mtbpigs.co .uk 
mysticspirals.co .uk 
mythagostudios .com 
neilwebsterhoundtrailing.co .uk 
newmarskecricketclub.co .uk 
oneintenrock.co .uk 
pcook.co .uk 
pengineer.co .uk 
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Blackhat SEO domains redirecting to scareware, currently 
circulation using a .cc tld extension: 

agjjgtfyi .cc - Email: susan@michiganfarms.com 

ckckoo .cc - Email: briettamacpherson@gmail.com 

eunlabkce .cc - 93.170.134.175 - Email: 
susan@michiganfarms.com 

ewjwjiavg .cc - 74.206.242.22 - Email: 
susan@michiganfarms.com 

fgodvsli .cc - 93.170.133.205 - Email: 
susan@michiganfarms.com 

fgodvsli .cc - 93.170.133.205 - Email: 
susan@michiganfarms.com 


fyecdizt .cc 93.170.156.119 - Email: 
susan@michiganfarms.com 

hgzondsul .cc - 174.137.171.69 - Email: 
susan@michiganfarms.com 

iiuuoo .cc - Email: briettamacpherson@gmail.com 

ijnteqc .cc - 93.170.130.105 - Email: 
susan@michiganfarms.com 

irolopl .cc - 93.170.134.203 - Email: 
susan@michiganfarms.com 

jglcbngvu .cc - 93.170.130.217 - Email: 
susan@michiganfarms.com 

jpydmee .cc - 93.170.133.247 - Email: 
susan@michiganfarms.com 

kdwwwwon .cc - 93.170.134.231 - Email: 
susan@michiganfarms.com 

kgowncgi .cc - 93.170.154.179 - Email: 
susan@michiganfarms.com 

Imhhsnd .cc - 93.170.156.105 - Email: 
susan@michiganfarms.com 
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mezkopq .cc - 93.170.129.75 - Email: 
susan@michiganfarms.com 

mvsoomw .cc - 93.170.131.66 - Email: 
susan@michiganfarms.com 


njfgfbd .cc - 93.170.156.21 - Email: 
susan@michiganfarms.com 

nsdgkrge .cc - 93.170.153.98 - Email: 
susan@michiganfarms.com 

nselkss .cc - 93.170.130.245 - Email: 
susan@michiganfarms.com 

owudfnay .cc - 93.170.131.178 - Email 
susan@michiganfarms.com 

pfjfsiunt .cc - 93.170.151.80 - Email: 
susan@michiganfarms.com 

piqvrrugd .cc - 93.170.156.63 - Email: 
susan@michiganfarms.com 

rroiqbznj .cc - 93.170.134.35 - Email: 
susan@michiganfarms.com 

ssyydqyh .cc - 93.170.131.206 - Email: 
susan@michiganfarms.com 

sucdugon .cc - 93.170.154.100 - Email 
susan@michiganfarms.com 

tftrwxlg .cc - 93.170.130.133 - Email: 
susan@michiganfarms.com 

tirtop .cc - 188.72.198.21 - Email: 
elaynedangubic@gmail.com 
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uclrwpyp .cc - 93.170.131.38 - Email: 
susan@michiganfarms.com 

uomfchbj .cc - 93.170.131.10 - Email: 
susan@michiganfarms.com 

vrmmnicl .cc - 93.170.151.10 - Email: 
susan@michiganfarms.com 

vtgisihjy .cc - 93.170.133.163 - Email: 
susan@michiganfarms.com 

vwyldlbe .cc - 188.72.204.57 - Email: 
brigidadorion@gmail.com 

vzlbamuvs .cc - 93.170.130.49 - Email: 
susan@michiganfarms.com 

wgyxrmtld .cc - 93.170.152.226 - Email: 
susan@michiganfarms.com 

xisuuzos .cc - 93.170.134.77 - Email: 
susan@michiganfarms.com 

xlkzmqiw .cc - 93.170.131.234 - Email: 
susan@michiganfarms.com 

zirtop .cc - Email: elaynedangubic@gmail.com 

zmtkpugbz .cc - 93.170.130.189 - Email: 
susan@michiganfarms.com 

zncutvk .cc - 174.137.171.117 - Email: 
susan@michiganfarms.com 

New blackhat SEO domains portfolio using NOC4Hosts Inc's 
services: 



rebuwe .net - 206 . 51 . 230.97 


sivezo .net - 206 . 51 . 230.98 
mipola .net - 206 . 51 . 230.95 
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kowipe .net - 206 . 51 . 230.92 
kerobo .net - 206 . 51 . 230.90 
gelupe .net - 206 . 51 . 230.104 
fuquwe .net - 206 . 51 . 230.103 
hyduve .net - 206 . 51 . 230.200 
bisehu .net - 206 . 51 . 230.99 
wypule .net - 206 . 51 . 230.95 
xylucy .net - 206 . 51 . 230.97 
xulady .net - 206 . 51 . 230.96 
lyqyte .net - 206 . 51 . 230.94 
nimygu .net - 206 . 51 . 230.96 
zuziki .net - 206 . 51 . 230.98 
symiza .net - 206 . 51 . 230.99 
bisehu .net - 206 . 51 . 230.99 


msrxdk .com - 188.72.192.78 - Email: 
charlenecrewshgkn@yahoo.com 


kimuka .net - 188.72.192.78 - Email: 
charlenecrewshgkn@yahoo.com 

ylkbin .com - 188.72.192.81 

476 

K 

Portfolio of scareware domains participating in the blackhat 
SEO campaing, parked at 83.133.126.155; 88.198.107.25; 
88.198.120.177; 91.212.107.5; 94.102.51.26; 
188.40.61.236; 62.90.136.237; 91.212.127.200; 
78.46.251.43; 

91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 
88.198.105.149; 88.198.233.225; 93.158.114.132: 

antispywaretotalscan9 .com - 213.163.89.60; 
89.47.237.55; 89.248.174.61 - Email: info@siggy.com 

antispywaretotalscan5 .com - Email: info@siggy.com 

antispywaretotalscan6 .com - Email: info@siggy.com 

antispywaretotalscan8 .com - Email: info@siggy.com 

antispywaretotalscan9 .com - Email: info@siggy.com 

delete-all-virus05 .com - Email: sales@naukrit.com 

delete-all-virus07 .com - Email: sales@naukrit.com 

delete-all-virus09 .com - Email: sales@naukrit.com 


delete-all-virus03 .com - 213.163.89.60; 
88.198.233.225; 91.213.126.100; 193.169.12.70 - Email: 
sales@naukrit.com clean-all-spywarelO .com - Email: 
crbarnes@uvic.ca 

remove-all-adwareOl .com - Email: info@nco.com.cn 
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clean-all-spywareOl .com - Email: crbarnes@uvic.ca 

fast-virus-scan2 .com - Email: 
courseinfo@greenwich.ac.uk 

remove-all-spyware03 .com - Email: info@nco.com.cn 

fast-virus-scan4 .com - Email: 
courseinfo@greenwich.ac.uk 

clean-all-spyware05 .com - Email: crbarnes@uvic.ca 

best-virus-scanner5 .com - Email: info@ecomsol.com 

remove-all-spyware07 .com - Email: info@nco.com.cn 

fast-virus-scan7 .com - Email: 
courseinfo@greenwich.ac.uk 

005threats-scanner .com 

09computerquickscan .com 

005yourprivatescanner .com 

online-systemscan .net - Email: 
gertrudeedickens@text2re.com 


best-spyware-scanOl .com - Email: info@viter- 
media.com 

online-antivir-scan09 .com - Email: contacts@stevens- 
media.com 

checkviruszone .com - Email: 
gertrudeed ickens@text2re.com 

guardsearch .net - Email: gertrudeedickens@text2re.com 

protection-check07 .com - Email: 
info@democraticyouth.com 

malwareinternetscanner03 .com - Email: kathy@nj- 
steams.com 

best-spyware-scan03 .com - Email: info@viter- 
media.com 

antispywarescanner08 .com - Email: info@cpehn.org 

antivirusonlinescan03 .com - Email: kathy@nj- 
steams.com 

quick-virus-scanner02 .com - Email: 
info@person.kll2.nc.us 

securedlivescan .com 
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superb-virus-scan09 .com - Email: 
tours@admiralgroup.co.uk 

superb-antivir-scanOl .com - Email: 
tours@admiralgroup.co.uk 



intellectual-vir-scan09 .com - Email: 
info@worldlifehencey.com 

intellectual-vir-scan08 .com - Email: 
info@worldlifehencey.com 

private-antivirus-scannerv2 .com - Email: 
webmaster@parun.co.kr 

reliable-scannerOl .com - Email: info@cansupply.com 

superb-virus-scan07 .com - Email: 
tours@admiralgroup.co.uk 

antivirus-online-scan8 .com - Email: 
webmaster@TangoDance.cn 

best-antivirus3 .com - Email: info@legtimeprime.com 

Iive-virus-scanner5 .com - Email: info@infy-tasks.com 

antivirus-online-scan4 .com - Email: pranky- 
marie@yahoo.com 

antispyware-scanner5 .com - Email: 
janny.marl23@yahoo.com 

antivirus-online-scan5 .com - Email: pranky- 
marie@yahoo.com 

Iive-virus-scanner7 .com - Email: info@infy-tasks.com 
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clean-all-spyware .com - Email: 
jdemagis@rocheste.ganet.com 


getyoursecuritynowv2 .com - Email: info@meat- 
beaf.com.cn 

getyourantivirusv3 .com - Email: info@meat-beaf.com.cn 

getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn 

antivirus-scannervl2 .com - Email: 
info@chinatownnetwork.com.cn 

safeonlinescannerv4 .com - Email: 
steg.gregl992@yahoo.com 

check-for-malwarev3 .com - Email: al@bis-solutions.com 

check-your-pc-onlinev3 .com - Email: al@bis- 
solutions.com 

searchurlguide .com - 64.86.16.9 - 
Email: powell.johnll@gmail.com 

securitypad .net - 206.53.61.70 - Email: 
gertrudeedickens@text2re.com 

prestotunerst .cn - 64.86.16.210 - Email: 
unitedisystems@gmail.com 

officesecuritysupply .com - Email: 
Ronald.T.Samora@spambob.com 

securityread .com - Email: Anna.R.Helm@dodgit.com 
scanasite .com - Email: Carol.J.Hipp@mailinator.com 
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cheapsecurityscan .com - Email: 

Kevin. L. Li nkous@trashymail.com 

securitysupplycenter .com - Email: 
Janet.R.Vasquez@spambob.com 

best-folder-scanv3 .com - Email: info@best-util-til.com 

online-best-scanv3 .com - Email: public@cropfactor.in 

online-defenderv9 .com - Email: public@cropfactor.in 

antispyware-live-scanv3 .com - Email: 
ervinl981rolf@yahoo.com 

antispywarelivescanv5 .com - Email: 
sales.in@bauhmerhhs.com 

antispyware-online-scanv7 .com - Email: 
ervinl981rolf@yahoo.com 

basicsystemscannerv8 .com - Email: 
changhong@corpdefence.cn 

bestpersonalprotectionv2 .com - Email: 
cfaal996@yahoo.com.cn 

bestpersonalprotectionv7 .com - Email: 
cfaal996@yahoo.com.cn 

computer-antivirus-scanv9 .com - Email: 
melaniestarmelanie@yahoo.com 

fastvirusscanv6 .com - Email: info@rasystems.com 

govirusscanner .com - Email: 
contact@demoninchina.com 



mysafecomputerscan .com - Email: acurtis@stevens.com 

onlineantispywarescanv6 .com - Email: 
czoao@hotmail.com 

online-antivir-scanv2 .com - Email: iren.g@sysintern.in 

onlinebestscannerv3 .com - Email: info@srilanka.cn 

onlinepersonalscanner .com - Email: info@srilanka.cn 

onlineproantivirusscan .com - Email: 
addworld@freebbmail.com 

online-pro-antivirus-scan .com - Email: 
findz@freebbmail.com 
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onlineproantivirusscanner .com - Email: 
findz@freebbmail.com 

online-secure-scannerv2 .com - Email: 
iren.g@sysintern.in 

personalantivirusprotection .com - Email: 
info@Wholesaler.cn 

personalfolderscanv2 .com - Email: 
hfbeauty@yahoo.com 

premium-antispy-scanv3 .com - Email: 
Ktrivedi@go2uti.com 

premium-antispy-scanv7 .com - Email: 
Ktrivedi@go2uti.com 


premium-antivirus-scanv6 .com - Email: 

Ktrived i@go2uti.com 

private-antivirus-scannerv2 .com - Email: 
webmaster@parun.co.kr 

privatevirusscannerv8 .com - Email: 
info@rasystems.com 

secure-antispyware-scanv3 .com - Email: info@prrp.de 

securepersonalscanner .com - Email: info@prrp.de 

secure-spyware-scannerv3 .com - Email: info@prrp.de 

secure-virus-scannerv5 .com - Email: info@prrp.de 

securityfolderprotection .com - Email: 
info@Wholesaler.cn 

spyware-scannerv2 .com - Email: 
hanan.abdelrazek@bibalexy.org 

spywarescannerv4 .com - Email: 
hanan.abdelrazek@bibalexy.org 
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Sampled scareware from the last 24 hours phones back to 
mineralwaterfilter .com - 78.46.201.90. Parked there are 
also: june-crossover .com; goldmine-sachs .com; 
momentstohaveyou .cn. More sampled scareware phones 
back to a new domain Phones back to pencil-netwok .com 
(94.102.48.31), parked there are the rest of the phone back 
locations for the rest of the scareware such as 


mineralwaterfilter .com; june-crossover .com; 
goldmine-sachs .com; bestparishotelsnow .com 

A second sampled scareware phones back to a different 
location - 92.241.176.188. Parked there are the rest 

of the domains in their scareware portfolio: 

bestscanpc .org 
bestscanpc .biz 
downloadavr2 .com 
downloadavr3 .com 
trucount3005 .com 
antivirus-scan-2009 .com 
antivirusxppro-2009 .com 
advanced-virus-remover-2009 .com 
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advanced-virus-remover2009 .com 
advanced-virusremover2009 .com 
bestscanpc .com 
xxx-white-tube .com 
blue-xxx-tube .com 


trucountme .com 


10-open-davinci .com 
vs-codec-pro .com 
vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 
bestscanpc .info 
bestscanpc .net 
bestscanpc .biz 

New/historical redirection domains used in the campaign, 
this time parked at 78.46.201.89/94.102.48.29/different 
locations as noted: 

cnn-bcc2 .com - 89.248.174.61 - Email: 
mail@sccits. com.cn 

issuenewsl .com - Email: mail@sccits.com.cn 
headlinenews2 .com - Email: mail@sccits.com.cn 
usdisturbed .cn - Email: info@brandbanks.com 
milesdavisorland .cn - Email: info@brandbanks.com 
usaworkinghard .cn - Email: info@brandbanks.com 



nationaltreasure .cn - Email: info@brandbanks.com 

milesdavisorland .cn - 91.213.126.101 - Email: 
info@brandbanks.com 

we-accepted .cn - Email: info@rcusan.org 

myth-busters .cn - Email: info@rcusan.org 

russell-brand .cn - Email: info@sciencesdemo.com 

willsmithinc .cn - Email: contact@oregonvma.org 

dirty-dancing .cn - Email: allisonh@soeconline.org 

sex-and-the-city .cn - Email: 

Oregon.artscomm@state.or. us 

clicksick .cn - 67.215.245.187 - Email: 
webmaster@clicksick.cn 

doubleclicknet .cn - 67.215.245.187 - Email: 
webmaster@doubleclicknet.cn 

shrekmovie .cn - Email: Oregon.artscomm@state.or.us 
radioheadicon .cn - Email: contact@oregonvma.org 
batman-comics .cn - Email: contact@oregonvma.org 
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beststarwars .cn - Email: allisonh@soeconline.org 
mashroomtheory .cn - Email: webmaster@TangoDance. 
space2009city .cn - Email: webmaster@TangoDance.cn 



messengerinfo .cn - Email: allisonh@soeconline.org 

greattime2009 .cn - Email: 
webmaster@seniorstuds.com.ar 

iwanttowin .cn - Email: webmaster@seniorstuds.com.ar 

hardnut .cn - Email: tan.mei.sie@monash.com.my 

sitemechanics .cn - info@powertrackers.com 

exceldocumentsinfo .cn - Email: info@powertrackers.com 

chinafavorites .cn - Email: cmo@ci.springfields.or.us 

best-live-lottery .cn - Email: info@powertrackers.com 

adeptofmastery .cn - Email: info@powertrackers.com 

trytowintoday .cn - Email: info@powertrackers.com 

bulkdvdreader .cn - 94.102.48.29 - Email: 
info@powertrackers.com 

style-everywhere .com - 88.198.105.145 - Email: 
angy.helm21@yahoo.com 

clicksick .cn - 67.215.245.187 - Email: 
webmaster@clicksick.cn 

supportyourcountry .cn - Email: 
cmo@ci.springfields.or.us 

wheels-on-fire .cn - 94.102.48.29 - Email: 
epron.sales@epron.com.hk 

stillphotoshots .cn - 94.102.48.29 - Email: 
epron.sales@epron.com.hk 



delayyouranswer .cn - Email: info@globaltechs.com.cn 

getbestsales .cn - Email: info@globaltechs.com.cn 

library-presents .cn - Email: 
hanzellandgretell@googlemail.com 

in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - 
Email: admin@in-t-h-e.cn 

bestwishestoyou .cn - 94.102.48.29 - Email: 
hanzellandgretell@googlemail.com 

library-presents .cn - 94.102.48.29 - Email: 
hanzellandgretell@googlemail.com 

getbestsales .cn - 94.102.48.29 - Email: 
info@globaltechs.com.cn 

aware-of-future .cn - Email: info@globaltechs.com.cn 

nothing-to-wear .cn - Email: steg.gregl992@yahoo.com 

newsmediaone .com - 72.21.41.198 - Email: 
advertizers@newsmediaone.com 

bapoka .net - 87.118.96.6 

stylestatsl .net - 94.102.63.16 - Email: grem@yahoo.com 

luckystats .org - Email: director@climbing-games.com 

luckystatsl .com - Email: grem@yahoo.com 

lifewepromote .cn - Email: ruixiang.guo@yahoo.com 

securecommercialnews .cn - Email: 
contacts@swedbank.com.cn 



snowboard2009 .cn - Email: weinwein2@yahoo.com 
nothern-ireland .cn - Email: accabj@cn.accaglobal.com 
goldensunshine .cn - Email: info@tartirtar.com 
steplessculture .cn - Email: info@myfibernetworks.cn 
vipsoccermanager .cn - Email: opressorl992@yahoo.com 
b2b-forums .cn - Email: weinwein2@yahoo.com 
rondo-trips .cn - Email: acurtis@stevens.com 
mywatermakrs .cn - Email: shanghaihuny@yahoo.com 
gazsnippets .cn - Email: acurtis@stevens.com 
bestvanillaresorts .cn - Email: opressorl992@yahoo.com 
personalrespect .cn - Email: weinwein2@yahoo.com 
consensualart .cn - Email: shanghaihuny@yahoo.com 
yourholidaytoday .cn - Email: opressorl992@yahoo.com 
guidetogalaxy .cn - Email: stp9014@yahoo.com 
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Among the new monetization tactics used are the typical 
[20]pay-per-click malware-friendly search engines which act 
as both, redirectors to phony sites/scams, as well as keyword 
blackholes which help them assess the popularity for a 
particular keyword, and therefore start pushing it more 
aggressively through a process called synonymization. 


Interestingly, they're exclusively using the compromised 
.co.uk, as well as purely malicious blackhat SEO do¬ 
mains for scareware serving purposes, but continue using 
the ones they operate under the free DNS service providers 
for [21]monetization through the bogus search engines. The 
domains used in this monetization approach are as 

follows: 
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rivasearchpage .com - 64.27.21.5 - Email: support@ruler- 
domains.com 

triwoperl .com - 95.168.191.19 - Email: 
florenzaluwemba@g mail, com 

tropysearch .us - 74.52.216.46 - Email: tech@add- 
manager.com 

glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - 
Email: kor4seo@rambler.ru 

funnyblogetc .info/go.php - - Email: tigerwoodl@nm.ru 

triwoperl.corn's front page is currently relying on the 
[22]go.live.com javascript obfuscation. Deobfuscated it 487 

redirects to fi97 ,net/jsr.php?uid=dir &group=ggl 
&keyword= &okw= &query=" , deja vu again - fi97 .net 

was used in the [23]Ukrainian "fan club's" blackhat SEO 
campaign in June. 


Monitoring of the campaign and takedown actions would 
continue, with an emphasis on the RBN connection 

from a related blackhat SEO campaign from last year. The 
gang is not going away anytime soon, but their campaigns 
definitely are. 

Related posts: 

[24] A Peek Inside the Managed Blackhat SEO Ecosystem 

[25] Dissecting a Swine Flu Black SEO Campaign 

[26] Massive Blackhat SEO Campaign Serving Scareware 

[27] From Ukrainian Blackhat SEO Gang With Love 

[28] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[29] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[30] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[31] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [32]Dancho Danchev's 
blog. 
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Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign (2009-08-18 17:35) 

AltusHost Inc, the company whose services were exclusively 
used in the [l]blackhat SEO campaign using [2]U.S 

Federal Forms theme for scareware service purposes, has 
finally responded to the abuse notifications sent seven days 






































ago stating that 11 the sites have been terminated'. Such a 
slow response once again proves that dysfunctional abuse 
departments increase the lifecycle of a 
malware/spam/phishing campaign by not taking it down 
when it's 

most actively gaining momentum. 

(For historical OSINT research, the following domains not 
previously listed were in circulating during the past week - 
thwovretgi .com - 91.214.44.239 - Email: 
joby47619@msn.com; shtifobpy .com - 91.214.44.210 - 
Email: hiraldol3686@hotmail.com; vodcotha .com - 
91.214.44.203 - Email: jamarcus59884@yahoo.com; 
stromiko .com 

- Email: hyacinthiemccolman@gmail.com; ceslyemsof 
.com - 91.214.44.205 - Email: brisco68781@lycos.com; 

ejeifyevy .com - 91.214.44.208 - Email: 
brisco68781@lycos.com; kuhatjidd .com - 91.214.44.203 - 
Email: khristal2110@hotmail.com ) 
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How did the cybercriminals respond? By proving that this 
blackhat SEO campaign has been well planed and 

coordinate a long time before it was executed in the wild. 
For the time being, it relies on a combination of legitimate 
U.K based sites, the result of a evident compromise of 
[3]Web Hosting Mania due to the fact that all the affected 
legitimate sites are hosted there, a growing portfolio of .cc 
tld domains, automatic abuse of free services such as 


myftpsite.net; dns2go.com; dynodns.net; thebbs.org, 

and systematic pushing of new scareware 
variants/redirector and scareware domains, which explains 
the low generic detection rate of all the samples obtained. 

Moreover, not only did the blackhat SEO themes expanding 
in the typical randomly generated junk that has naturally 
been crawled by public search engines, but also, according 
to publicly obtainable statistics, millions of users 
(collectively) have already visited the landing sites, with 
42.80 % of the referring site for a particular domain coming 
from thebbs.org and 31.97 % from Google - their tactics 
are actively hijacking millions of users already. 
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Let's dissect the latest developments in the ongoing 
blackhat SEO campaign, list the participating 
scareware/blackhat SEO/redirection domains, the various 
monetization tactics going beyond scareware, as well as 
discuss some of the innovations used in the javascript 
obfuscation which makes it virtually impossible for a crawler 
to detect that the site is malicious. 

Key summary points: 

• U.K based hosting provider Web Mania Hosting appears to 
be compromised due to the fact that all the abused 

legitimate sites are hosted there 

• the redirection and scareware domain/binary are updated 
two times during 24 hours period of time 


• [4]the [5]scareware [6]has a [7]very [8]low [9]generic 
[10]detection [ll]rate [12]due [13]to their [14]persistence 
in [15]updating it 

• all the scareware samples continue phoning back to 
several domains parked at 78.46.201.90 

• the cybercriminals have introduced multiple monetization 
tactics through pay-per-click malware-friendly search 
engines 

• a central redirection point (a-n-d-the 
.com/wtr/router.php) used in this campaign was used by 
the 

[16]RBN/customer of the RBN in massive iFrame injection 
attacks abusing input validation flaws within high 

profile sites over an year ago 

• sampled 
scareware 
adds 

the 

following 

registry 

entry 

[HKEY 


LOCAL 



MA- 


CHINE\SOFTWARE\6A36EA 6 El 1EAAECDF5E540D 
EF2149079] plxxh = "Dujaq !!" - Dujaq!! 

means "Bl*w 

me!! 11 

• the blackhat SEO gang is using a unique javascript 
obfuscation which I originally stumbled upon a couple 

of months ago while assessing another blackhat SEO 
courtesy of the [17]Ukrainian "fan club", the one with the 
Koobface connection. It relies on dynamically generated 
code spoofing go.live.com and rds.yahoo.com random 
URLs for evasion purposes. The only vendor that detects it is 
McAfee-GW-Edition as 

[18]Heuristic.BehavesLike.JS.CodeUnfolding.A 
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Compromised legitimate domains at [19]Web Hosting Mania 
currently in circulation: 

ladydestiny .com 

marchbrook.co .uk 

mgwooldridge.co .uk 

midfleet .com 

mikedz.co .uk 

millypeds.co .uk 


mitchameditorial.co .uk 


moddeydhoomcc.co .uk 
monkeyfist.co .uk 
morita.co .uk 
mosoul.co .uk 
mrbuzzhard.co .uk 
mtbpigs.co .uk 
mysticspirals.co .uk 
mythagostudios .com 
neilwebsterhoundtrailing.co .uk 
newmarskecricketclub.co .uk 
oneintenrock.co .uk 
pcook.co .uk 
pengineer.co .uk 
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Blackhat SEO domains redirecting to scareware, currently 
circulation using a .cc tld extension: 

agjjgtfyi .cc - Email: susan@michiganfarms.com 

ckckoo .cc - Email: briettamacpherson@gmail.com 


eunlabkce .cc - 93.170.134.175 - Email: 
susan@mich iganfarms.com 

ewjwjiavg .cc - 74.206.242.22 - Email: 
susan@michiganfarms.com 

fgodvsli .cc - 93.170.133.205 - Email: 
susan@michiganfarms.com 

fgodvsli .cc - 93.170.133.205 - Email: 
susan@michiganfarms.com 

fyecdizt .cc 93.170.156.119 - Email: 
susan@michiganfarms.com 

hgzondsul .cc - 174.137.171.69 - Email: 
susan@michiganfarms.com 

iiuuoo .cc - Email: briettamacpherson@gmail.com 

ijnteqc .cc - 93.170.130.105 - Email: 
susan@michiganfarms.com 

irolopl .cc - 93.170.134.203 - Email: 
susan@michiganfarms.com 

jglcbngvu .cc - 93.170.130.217 - Email: 
susan@michiganfarms.com 

jpydmee .cc - 93.170.133.247 - Email: 
susan@michiganfarms.com 

kdwwwwon .cc - 93.170.134.231 - Email: 
susan@michiganfarms.com 

kgowncgi .cc - 93.170.154.179 - Email: 
susan@michiganfarms.com 



Imhhsnd .cc - 93.170.156.105 - Email: 
susan@michiganfarms.com 
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mezkopq .cc - 93.170.129.75 - Email: 
susan@michiganfarms.com 

mvsoomw .cc - 93.170.131.66 - Email: 
susan@michiganfarms.com 

njfgfbd .cc - 93.170.156.21 - Email: 
susan@michiganfarms.com 

nsdgkrge .cc - 93.170.153.98 - Email: 
susan@michiganfarms.com 

nselkss .cc - 93.170.130.245 - Email: 
susan@michiganfarms.com 

owudfnay .cc - 93.170.131.178 - Email 
susan@michiganfarms.com 

pfjfsiunt .cc - 93.170.151.80 - Email: 
susan@michiganfarms.com 

piqvrrugd .cc - 93.170.156.63 - Email: 
susan@michiganfarms.com 

rroiqbznj .cc - 93.170.134.35 - Email: 
susan@michiganfarms.com 

ssyydqyh .cc - 93.170.131.206 - Email: 
susan@michiganfarms.com 


sucdugon .cc - 93.170.154.100 - Email: 
susan@michiganfarms.com 

tftrwxlg .cc - 93.170.130.133 - Email: 
susan@michiganfarms.com 

tirtop .cc - 188.72.198.21 - Email: 
elaynedangubic@gmail.com 
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uclrwpyp .cc - 93.170.131.38 - Email: 
susan@michiganfarms.com 

uomfchbj .cc - 93.170.131.10 - Email: 
susan@michiganfarms.com 

vrmmnicl .cc - 93.170.151.10 - Email: 
susan@michiganfarms.com 

vtgisihjy .cc - 93.170.133.163 - Email: 
susan@michiganfarms.com 

vwyldlbe .cc - 188.72.204.57 - Email: 
brigidadorion@gmail.com 

vzlbamuvs .cc - 93.170.130.49 - Email: 
susan@michiganfarms.com 

wgyxrmtld .cc - 93.170.152.226 - Email 
susan@michiganfarms.com 

xisuuzos .cc - 93.170.134.77 - Email: 
susan@michiganfarms.com 


xlkzmqiw .cc - 93.170.131.234 - Email: 
susan@michiganfarms.com 

zirtop .cc - Email: elaynedangubic@gmail.com 

zmtkpugbz .cc - 93.170.130.189 - Email: 
susan@michiganfarms.com 

zncutvk .cc - 174.137.171.117 - Email: 
susan@michiganfarms.com 

New blackhat SEO domains portfolio using NOC4Hosts Inc's 
services: 

rebuwe .net - 206.51.230.97 
sivezo .net - 206.51.230.98 
mipola .net - 206.51.230.95 
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kowipe .net - 206.51.230.92 
kerobo .net - 206.51.230.90 
gelupe .net - 206.51.230.104 
fuquwe .net - 206.51.230.103 
hyduve .net - 206.51.230.200 
bisehu .net - 206.51.230.99 
wypule .net - 206.51.230.95 
xylucy .net - 206.51.230.97 


xulady .net - 206.51.230.96 

lyqyte .net - 206.51.230.94 

nimygu .net - 206.51.230.96 

zuziki .net - 206.51.230.98 

symiza .net - 206.51.230.99 

bisehu .net - 206.51.230.99 

msrxdk .com - 188.72.192.78 - Email: 
charlenecrewshgkn@yahoo.com 

kimuka .net - 188.72.192.78 - Email: 
charlenecrewshgkn@yahoo.com 

ylkbin .com - 188.72.192.81 
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Portfolio of scareware domains participating in the blackhat 
SEO campaing, parked at 83.133.126.155; 88.198.107.25; 
88.198.120.177; 91.212.107.5; 94.102.51.26; 
188.40.61.236; 62.90.136.237; 91.212.127.200; 
78.46.251.43; 

91.212.107.5; 69.4.230.204; 78.46.251.43; 88.198.107.25; 
88.198.105.149; 88.198.233.225: 

reliable-scannerOl .com - Email: info@cansupply.com 

superb-virus-scan07 .com - Email: 
tours@admiralgroup.co.uk 


antivirus-online-scan8 .com - Email: 
webmaster@TangoDance.cn 

best-antivirus3 .com - Email: info@legtimeprime.com 

Iive-virus-scanner5 .com - Email: info@infy-tasks.com 

antivirus-online-scan4 .com - Email: pranky- 
marie@yahoo.com 

antispyware-scanner5 .com - Email: 
janny.marl23@yahoo.com 

antivirus-online-scan5 .com - Email: pranky- 
marie@yahoo.com 

Iive-virus-scanner7 .com - Email: info@infy-tasks.com 

clean-all-spyware .com - Email: 
jdemagis@rocheste.ganet.com 

getyoursecuritynowv2 .com - Email: info@meat- 
beaf.com.cn 
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getyourantivirusv3 .com - Email: info@meat-beaf.com.cn 

getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn 

antivirus-scannervl2 .com - Email: 
info@chinatownnetwork.com.cn 

safeonlinescannerv4 .com - Email: 
steg.gregl992@yahoo.com 


check-for-malwarev3 .com - Email: al@bis-solutions.com 

check-your-pc-onlinev3 .com - Email: al@bis- 
solutions.com 

searchurlguide .com - 64.86.16.9 - 
Emai I :powell.john ll@gmail.com 

securitypad .net - 206.53.61.70 - Email: 
gertrudeedickens@text2re.com 

prestotunerst .cn - 64.86.16.210 - Email: 
unitedisystems@gmail.com 

officesecuritysupply .com - Email: 
Ronald.T.Samora@spambob.com 

securityread .com - Email: Anna.R.Helm@dodgit.com 

scanasite .com - Email: Carol.J.Hipp@mailinator.com 

cheapsecurityscan .com - Email: 
Kevin.L.Linkous@trashymail.com 

securitysupplycenter .com - Email: 
Janet.R.Vasquez@spambob.com 

best-folder-scanv3 .com - Email: info@best-util-til.com 

online-best-scanv3 .com - Email: public@cropfactor.in 

online-defenderv9 .com - Email: public@cropfactor.in 

antispyware-live-scanv3 .com - Email: 
ervinl981rolf@yahoo.com 

antispywarelivescanv5 .com - Email: 
sales.in@bauhmerhhs.com 



antispyware-online-scanv7 .com - Email: 
ervinl981rolf@yahoo.com 

basicsystemscannerv8 .com - Email: 
changhong@corpdefence.cn 

bestpersonalprotectionv2 .com - Email: 
cfaal996@yahoo.com.cn 

bestpersonalprotectionv7 .com - Email: 
cfaal996@yahoo.com.cn 
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computer-antivirus-scanv9 .com - Email: 
melaniestarmelanie@yahoo.com 

fastvirusscanv6 .com - Email: info@rasystems.com 

govirusscanner .com - Email: 
contact@demoninchina.com 

mysafecomputerscan .com - Email: acurtis@stevens.com 

onlineantispywarescanv6 .com - Email: 
czoao@hotmail.com 

online-antivir-scanv2 .com - Email: iren.g@sysintern.in 

onlinebestscannerv3 .com - Email: info@srilanka.cn 

onlinepersonalscanner .com - Email: info@srilanka.cn 

onlineproantivirusscan .com - Email: 
addworld@freebbmail.com 


online-pro-antivirus-scan .com - Email: 
findz@freebbmail.com 

onlineproantivirusscanner .com - Email: 
findz@freebbmail.com 

online-secure-scannerv2 .com - Email: 
iren.g@sysintern.in 

personalantivirusprotection .com - Email: 
info@Wholesaler.cn 

personalfolderscanv2 .com - Email: 
hfbeauty@yahoo.com 

premium-antispy-scanv3 .com - Email: 
Ktrivedi@go2uti.com 
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premium-antispy-scanv7 .com - Email: 
Ktrivedi@go2uti.com 

premium-antivirus-scanv6 .com - Email: 
Ktrivedi@go2uti.com 

private-antivirus-scannerv2 .com - Email: 
webmaster@parun.co.kr 

privatevirusscannerv8 .com - Email: 
info@rasystems.com 

secure-antispyware-scanv3 .com - Email: info@prrp.de 
securepersonalscanner .com - Email: info@prrp.de 


secure-spyware-scannerv3 .com - Email: info@prrp.de 

secure-virus-scannerv5 .com - Email: info@prrp.de 

securityfolderprotection .com - Email: 
info@Wholesaler.cn 

spyware-scannerv2 .com - Email: 
hanan.abdelrazek@bibalexy.org 

spywarescannerv4 .com - Email: 
hanan.abdelrazek@bibalexy.org 

Sampled scareware from the last 24 hours phones back to 
mineralwaterfilter .com - 78.46.201.90. Parked there are 
also: june-crossover .com; goldmine-sachs .com; 
momentstohaveyou .cn. More sampled scareware phones 
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to a new domain Phones back to pencil-netwok .com 
(94.102.48.31), parked there are the rest of the phone back 
locations for the rest of the scareware such as 

mineralwaterfilter .com; june-crossover .com; 
goldmine-sachs .com; bestparishotelsnow .com 

A second sampled scareware phones back to a different 
location - 92.241.176.188. Parked there are the rest 

of the domains in their scareware portfolio: 

bestscanpc .org 
bestscanpc .biz 


downloadavr2 .com 


downloadavr3 .com 


trucount3005 .com 
antivirus-scan-2009 .com 
antivirusxppro-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virus-remover2009 .com 
advanced-virusremover2009 .com 
bestscanpc .com 
xxx-white-tube .com 
blue-xxx-tube .com 
trucountme .com 
10-open-davinci .com 
vs-codec-pro .com 
vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 
bestscanpc .info 



bestscanpc .net 
bestscanpc .biz 

New/historical redirection domains used in the campaign, 
this time parked at 78.46.201.89/94.102.48.29/different 
locations as noted: 

beststarwars .cn - Email: allisonh@soeconline.org 

mashroomtheory .cn - Email: webmaster@TangoDance.cn 

space2009city .cn - Email: webmaster@TangoDance.cn 

messengerinfo .cn - Email: allisonh@soeconline.org 

greattime2009 .cn - Email: 
webmaster@seniorstuds.com.ar 

502 

iwanttowin .cn - Email: webmaster@seniorstuds.com.ar 
hardnut .cn - Email: tan.mei.sie@monash.com.my 
sitemechanics .cn - info@powertrackers.com 
exceldocumentsinfo .cn - Email: info@powertrackers.com 
chinafavorites .cn - Email: cmo@ci.springfields.or.us 
best-live-lottery .cn - Email: info@powertrackers.com 
adeptofmastery .cn - Email: info@powertrackers.com 
trytowintoday .cn - Email: info@powertrackers.com 



bulkdvdreader .cn - 94.102.48.29 - Email: 
info@powertrackers.com 

style-everywhere .com - 88.198.105.145 - Email: 
angy.helm21@yahoo.com 

clicksick .cn - 67.215.245.187 - Email: 
webmaster@clicksick.cn 

supportyourcountry .cn - Email: 
cmo@ci.springfields.or.us 

wheels-on-fire .cn - 94.102.48.29 - Email: 
epron.sales@epron.com.hk 

stillphotoshots .cn - 94.102.48.29 - Email: 
epron.sales@epron.com.hk 

delayyouranswer .cn - Email: info@globaltechs.com.cn 

getbestsales .cn - Email: info@globaltechs.com.cn 

library-presents .cn - Email: 
hanzellandgretell@googlemail.com 

in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - 
Email: admin@in-t-h-e.cn 

bestwishestoyou .cn - 94.102.48.29 - Email: 
hanzellandgretell@googlemail.com 

library-presents .cn - 94.102.48.29 - Email: 
hanzellandgretell@googlemail.com 

getbestsales .cn - 94.102.48.29 - Email: 
info@globaltechs.com.cn 


aware-of-future .cn - Email: info@globaltechs.com.cn 



nothing-to-wear .cn - Email: steg.gregl992@yahoo.com 

newsmediaone .com - 72.21.41.198 - Email: 
advertizers@newsmediaone.com 

bapoka .net - 87.118.96.6 

stylestatsl .net - 94.102.63.16 - Email: grem@yahoo.com 

luckystats .org - Email: director@climbing-games.com 

luckystatsl .com - Email: grem@yahoo.com 

lifewepromote .cn - Email: ruixiang.guo@yahoo.com 

securecommercialnews .cn - Email: 
contacts@swedbank.com.cn 

snowboard2009 .cn - Email: weinwein2@yahoo.com 
nothern-ireland .cn - Email: accabj@cn.accaglobal.com 
goldensunshine .cn - Email: info@tartirtar.com 
steplessculture .cn - Email: info@myfibernetworks.cn 
vipsoccermanager .cn - Email: opressorl992@yahoo.com 
b2b-forums .cn - Email: weinwein2@yahoo.com 
rondo-trips .cn - Email: acurtis@stevens.com 
mywatermakrs .cn - Email: shanghaihuny@yahoo.com 
gazsnippets .cn - Email: acurtis@stevens.com 
bestvanillaresorts .cn - Email: opressorl992@yahoo.com 
personalrespect .cn - Email: weinwein2@yahoo.com 



consensualart .cn - Email: shanghaihuny@yahoo.com 
yourholidaytoday .cn - Email: opressorl992@yahoo.com 
guidetogalaxy .cn - Email: stp9014@yahoo.com 
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Among the new monetization tactics used are the typical 
[20]pay-per-click malware-friendly search engines which act 
as both, redirectors to phony sites/scams, as well as keyword 
blackholes which help them assess the popularity for a 
particular keyword, and therefore start pushing it more 
aggressively through a process called synonymization. 

Interestingly, they're exclusively using the compromised 
.co.uk, as well as purely malicious blackhat SEO do¬ 
mains for scareware serving purposes, but continue using 
the ones they operate under the free DNS service providers 
for [21]monetization through the bogus search engines. The 
domains used in this monetization approach are as 

follows: 
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rivasearchpage .com - 64.27.21.5 - Email: support@ruler- 
domains.com 

triwoperl .com - 95.168.191.19 - Email: 
florenzaluwemba@gmail.com 


tropysearch .us - 74.52.216.46 - Email: tech@add- 
manager.com 

glorys .info (glorys .info/red/cube.js) - - 78.159.97.186 - 
Email: kor4seo@rambler.ru 

funnyblogetc .info/go.php - - Email: tigerwoodl@nm.ru 

triwoperl.corn's front page is currently relying on the 
[22]go.live.com javascript obfuscation. Deobfuscated it 505 

redirects to fi97 .net/jsr.php?uid=dir &group=ggl 
&keyword= &okw= &query=" , deja vu again - fi97 .net 

was used in the [23]Ukrainian "fan club's" blackhat SEO 
campaign in June. 

Monitoring of the campaign and takedown actions would 
continue, with an emphasis on the RBN connection 

from a related blackhat SEO campaign from last year. The 
gang is not going away anytime soon, but their campaigns 
definitely are. 

Related posts: 

[24] A Peek Inside the Managed Blackhat SEO Ecosystem 

[25] Dissecting a Swine Flu Black SEO Campaign 

[26] Massive Blackhat SEO Campaign Serving Scareware 

[27] From Ukrainian Blackhat SEO Gang With Love 

[28] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[29] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 



[30] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[31] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [32]Dancho Danchev's 
blog. 
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Movement on the Koobface Front - Part Two (2009- 
08-19 11:27) 

UPDATE13: The domain snimka31082009 .com has been 
suspended. Just like the domains listed in UPDATE11, it's 
worth pointing out that once the PrivacyProtect.org whois 
records return to their original state, all of the domains are 
registered using the name Rancho Ranchev - from Ukraine 
with typosquatting. 

UPDATE12: A new Koobface domain is in circulation across 
Facebook - snimka31082009 .com - snimka means photo 

- which redirects to the Chinese IP ( China Railcom 
Guangdong Shenzhen Subbranch) offering hosting services 
for the Koobface gang as of last week - 61.235.117.83 
/redirectsoft/go/fb w.php. The snimka31082009.com 
domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 
.com - Email: yxlvpewoztjox@gmail.com; pari270809 
.com 

- Email: baoyshzrcwmraq@gmail.com; rect08242009 
.com and suz!1082009 .com have been suspended. 












The Koobface gang has also changed the C &C domain in 
their latest updated pushed throughout the past 

couple of days. 

Interestingly, it's a [l]subdomain used in the Twitter 
campaign from July - cubman32 

.net.ua/.sys/?action=ldgen &v=14 and cubman32 
,net.ua/.sys/?action=ldgen &f=0 &a=-531027389 
&lang= 

&v=14 &c=0 &s=ld &l=1000 &ck=0 &c _fb=0 &c 
ms=0 &c hi=0 &c tw=0 &c be=0 &c _fr=-2 &c 
yb=-2 &c _tg=0 

&c _nl=0 &c _fu=-2. 

UPDATEIO: Two new Koobface domains, and a new 
redirector are in circulation across Facebook - 

rect08242009 

.com (61.235.117.83) and pari270809 .com, which 
redirects to masa31082009 .com/go/fb _w.php. The " 
[2]fan club" 

has also introduced updated the malware - web.reg 
.md/l/[3]v2prx.exe. 

The domains, pari270809 .com, rect08242009 .com 
and masa31082009 .com are in a process of getting shut 
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down. 


UPDATE9: Domain zadnik270809 .com - Email: 
baoyshzrcwmraq@gmail.com has been suspended. 

UPDATE8: 

Koobface reactivated itself once again at 61.235.117.83 - 
[4]China Railcom Guangdong Shenzhen 

Subbranch - a well known Zeus crimeware C &C, which is 
also apparently used for automatic hacking of third-party 
sites through [5]compromised FTP accounts. 

The gang has also introduced a new domain, used 
exclusively for Facebook campaigns - zadnik270809 .com 
- in particular zadnik270809 .com/youtube.com/w/? 
video which loads zadnik270809 
.com/youtube.com/w/ups.php and redirects to a well 
known Koobface redirector kiano-180809 .com/go/fb 
_w.php. 

Zadnik means a**hole. Domain suspension and IP take down 
are in progress. 

UPDATE7: Earlier today, TelosSolutions confirmed that" 
this customer has been removed from our network". 

Great news taking into consideration the fact that Directi's 
Abuse Desk has also suspended boomer-110809 .com, as 
well as upr200908013 .com. 

The Koobface gang responded to the take down action by 
once again moving to China, [6]61.235.117.83 (China 

Railcom Guangdong Shenzhen Subbranch) in particular. The 
IP has been taken care of, with all of Koobface campaigns 
once again in an "inactive stage". It's worth pointing out 
that kallagoonl3 .cn and allavers .org are also parked at 



this Chinese IP, with [7]both domains clearly involved in 

[8] Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface 
gang has found a new home online, courtesy of 

Telos-Solutions-AS/Telos Solutions LTD, with an ongoing 
migration of the Koobface C &C and campaign domains to 

[9] 91.212.127.140. Take down activities are in progress. 

UPDATE5: Oc3 Networks & Web Solutions Lie abuse team 
took care of [10]67.215.238.178. All of Koobface worm's 
campaigns once again redirect to nowhere. 
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UPDATE4: Koobface has been kicked out of China - again - 
courtesy of China's CERT, and is no longer responding to 
221.5.74.46. This is the second time that [ll]the Koobface 
gang is using the same IP for its central campaign domains, 
clearly indicating an ISP which "reserves its right to offer 
them services in the future once they stop receiving abuse 
notifications". 

So which hosting provider's services is [12]the Koobface 
botnet using for the time being? It's [13]67.215.238.178 - 

AS22298 - Netherlands Distinctio Ltd, which they were also 
using in the beginning of the month. A [14]new domain is in 
circulation across social networks/micro blogging services - 

kiano-180809 .com/go/fb2.php (67.215.238.178) Email: 
bigvillyxxx@gmail.com. Take down activities are in progress. 

UPDATE3: The entire portfolio of Koobface related domains 
is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ 


CNCGROUP IP network Chinal69 Guangzhou MAN. For 
instance, xtsd20090815 .com/youtube.com/xexe.php 

redirects to the actual IP 221.5.74.46 
/redirectsoft/go/fb2.php with piupiu- 
110809.com/achcheck.php, 

web.reg.md /l/[15]prx90.exe and web.reg.md/1 
/[16]prx90.exe as phone back locations. 

Two new compo¬ 
nents are dropped DDnsFilter.dll - MD5: 
0x8904BCEBACB2B878FF46C5EB0C5C57EB and 

DnsFilter.sys - MD5: 

0x30DD915396E46824DA92FE70485F7CF8 which 
[17]prevent infected users from interacting with antivirus 
vendor 

sites. 
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UPDATE2: The gang has responded to the take down 
activities, by using the only IP that wasn't shut down 
221.5.74.46, with piupiu-110809 .com, upr200908013 
.com, and upr200908013 .com already moved there. 

Interestingly, now that the gang's centralized domains used 
in the majority of campaigns are not responding thanks the 
quick reaction of BlueConnex, they've started embedding 
up to 15 iFrames directly loading IPs from the Koobface 
botnet. The script is detected as Trojan- 
Clicker.HTML.IFrame.a. The pattern? Each and every host is 


serving the fake Facebook page from a similar directory - 
/0x3E8/. 221.5.74.46 is in a process of getting shut down. 

UPDATE: Three hours after notification, Blue Square Data 
Group Services Limited ensures that" the customer has 
been disconnected permanently". It's a fact. All of Koobface 
worm's campaigns currently redirect to nowhere. Let's see 
for how long. 

Kuku Ruku Koobface! What does Koobface has to do with a 
legendary cocoa cream wafer [18]Koukou Roukou 

sold in the 90's? It's one of new domains introduced over 
the past seven days (kukuruku-290709 .com now offline 
thanks to community efforts). 

What is the [19]Koobface gang up to [20]anyway? Despite 
that they've randomized the automatically gener¬ 
ated directories on the compromised sites 

(kimchistory.freevar .com/fantasticfilms; 
tastemasters .ca/freeemOvie; simonsoderberg 
.se/mmymOvies; ekespangs .se/meggavideO; 
akesheronline .com/privaleshOw; belljarstudio 

.com/bestttube), the gang continues relying on 
centralized hosting for its campaigns. 
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During the week, they've migrated from 67.215.238 
.178/redirectsoft/go/fb _s.php (PacificRack.com) to 
85.234.141 

.92/redirectsoft/go/fb _s.php (BlueConnex Ltd), 
interestingly, they did so with all of the their currently 


active domains, the ones used as central redirection points 
on the thousands of legitimate/malicious sites participating 
in their campaigns. Interestingly, merely suspending a 
domain name wouldn't get you [21]a personal greeting from 

the Koobface gang, since they'll basically register a new 
one. Getting them kicked out of several different hosting 
providers simultaneously would. Upon having their newly 
pushed domains shut down, the gang stopped using 

domains and switched to the original IP of their hosting 
provider, once again requiring a direct ISP action, instead of 
domain registar's one. 

Koobface C &C, central malware campaign domains 
suspended through community efforts: 

- glavnij20090809 .com - Email: bigvillyxxx@gmail.com 
was parked at 85.234.141.92 

- kukuruku-290709 .com - Email: 

kuku.ruku.pam@gmail.com was parked at 85.234.141.92 

- superturbo20090809 .com - Email: 
bigvillyxxx@gmail.com was parked at 85.234.141.92 
([22]Super Turbo is yet another legendary product sold in 
the 90's) 

- bombimbom20090809 .com - Email: 
bigvillyxxx@gmail.com was parked at 85.234.141.92 
([23]Bombi Bom is also a classic chewing gum sold in the 
90's in Europe/Eastern Europe) 

- mishkigammy-060809.com - Email: 
kuku.ruku.pam@gmail.com was parked at 85.234.141.92 
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Currently active Koobface C &C domains, also participating 
in the CAPTCHA-solving, malware campaigns: 

- piupiu-110809 .com - 85.234.141.92 

- xtsd20090815 .com - 85.234.141.92 - Email: 
bigvillyxxx@gmail.com 

- boomer-110809 .com - 85.234.141.92 

- upr200908013 .com - 85.234.141.92 - Email: 
kfmnmkswrn kcxlgpfdxb68@gmail.com 

- suzll082009 .com - 85.234.141.92 - Email: 
xxmgbtwgdhyv@gmail.com 

- upr0306 .com - 221.5.74.46 China Unicom Guangdong 
province network - Email: bigvillyxxx@gmail.com 

- findhereandnow .com - 85.234.141.92 - Email: 
bigvillyxxx@gmail.com 

The CAPTCHA solving process on behalf of the infected 
victims, is exclusively targeting Google web proper¬ 
ties (piupiu-110809 

.com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754 

a519194.jpg). 

Koobface worm's 

captcha7.dll module is active at: 

- glavnij20090809 .com/cap/?a=get &i = l &v=7 

- suzll082009 .com/cap/?a=get &i=3 &v=7 


- boomer-110809 .com/cap/?a=get &i=4 &v=7 

- piupiu-110809 .com/cap/?a=get &i = 2 &v=7 

BlueConnex Ltd has been notified. The Koobface gang 
continues enjoying the largest market share of system¬ 
atic Web 2.0 abuse 

Related posts: 
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Movement on the Koobface Front - Part Two (2009- 
08-19 11:27) 

UPDATE13: The domain snimka31082009 .com has been 
suspended. Just like the domains listed in UPDATE11, it's 
worth pointing out that once the PrivacyProtect.org whois 
records return to their original state, all of the domains are 
registered using the name Rancho Ranchev - from Ukraine 
with typosquatting. 

UPDATE12: A new Koobface domain is in circulation across 
Facebook - snimka31082009 .com - snimka means photo 

- which redirects to the Chinese IP ( China Railcom 
Guangdong Shenzhen Subbranch) offering hosting services 
for the Koobface gang as of last week - 61.235.117.83 
/redirectsoft/go/fb w.php. The snimka31082009.com 
domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 
.com - Email: yxlvpewoztjox@gmail.com; pari270809 
.com 

- Email: baoyshzrcwmraq@gmail.com; rect08242009 
.com and suzll082009 .com have been suspended. 

The Koobface gang has also changed the C &C domain in 
their latest updated pushed throughout the past 

couple of days. 

Interestingly, it's a [ljsubdomain used in the Twitter 
campaign from July - cubman32 

.net.ua/.sys/?action=ldgen &v= 14 and cubman32 
.net.ua/.sys/?action=ldgen &f=0 &a=-531027389 
&lang= 



&v=14 &c=0 &s=ld &l = 1000 &ck=0 &c _fb=0 &c 
ms=0 &c hi=0 &c tw=0 &c be=0 &c _fr=-2 &c 
yb=-2 &c _tg=0 

&c _nl=0 &c _fu=-2. 

UPDATE10: Two new Koobface domains, and a new 
redirector are in circulation across Facebook - 

rect08242009 

.com (61.235.117.83) and pari270809 .com, which 
redirects to masa31082009 .com/go/fb w.php. The " 
[2]fan club" 

has also introduced updated the malware - web.reg 
.md/l/[3]v2prx.exe. 

The domains, pari270809 .com, rect08242009 .com 
and masa31082009 .com are in a process of getting shut 
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down. 

UPDATE9: Domain zadnik270809 .com - Email: 
baoyshzrcwmraq(a)gmail.com has been suspended. 

UPDATE8: 

Koobface reactivated itself once again at 61.235.117.83 - 
[4]China Railcom Guangdong Shenzhen 

Subbranch - a well known Zeus crimeware C &C, which is 
also apparently used for automatic hacking of third-party 
sites through [5]compromised FTP accounts. 


The gang has also introduced a new domain, used 
exclusively for Facebook campaigns - zadnik270809 .com 
- in particular zadnik270809 .com/youtube.com/w/? 
video which loads zadnik270809 
.com/youtube.com/w/ups.php and redirects to a well 
known Koobface redirector kiano-180809 .com/go/fb 
_w.php. 

Zadnik means a**hole. Domain suspension and IP take down 
are in progress. 

UPDATE7: Earlier today, TelosSolutions confirmed that" 
this customer has been removed from our network". 

Great news taking into consideration the fact that Directi's 
Abuse Desk has also suspended boomer-110809 .com, as 
well as upr200908013 .com. 

The Koobface gang responded to the take down action by 
once again moving to China, [6]61.235.117.83 (China 

Railcom Guangdong Shenzhen Subbranch) in particular. The 
IP has been taken care of, with all of Koobface campaigns 
once again in an "inactive stage". It's worth pointing out 
that kallagoonl3 .cn and allavers .org are also parked at 
this Chinese IP, with [7]both domains clearly involved in 

[8] Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface 
gang has found a new home online, courtesy of 

Telos-Solutions-AS/Telos Solutions LTD, with an ongoing 
migration of the Koobface C &C and campaign domains to 

[9] 91.212.127.140. Take down activities are in progress. 



UPDATE5: Oc3 Networks & Web Solutions Lie abuse team 
took care of [10]67.215.238.178. All of Koobface worm's 
campaigns once again redirect to nowhere. 
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UPDATE4: Koobface has been kicked out of China - again - 
courtesy of China's CERT, and is no longer responding to 
221.5.74.46. This is the second time that [ll]the Koobface 
gang is using the same IP for its central campaign domains, 
clearly indicating an ISP which "reserves its right to offer 
them services in the future once they stop receiving abuse 
notifications". 

So which hosting provider's services is [12]the Koobface 
botnet using for the time being? It's [13]67.215.238.178 - 

AS22298 - Netherlands Distinctio Ltd, which they were also 
using in the beginning of the month. A [14]new domain is in 
circulation across social networks/micro blogging services - 

kiano-180809 .com/go/fb2.php (67.215.238.178) Email: 
bigvillyxxx@gmail.com. Take down activities are in progress. 

UPDATE3: The entire portfolio of Koobface related domains 
is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ 

CNCGROUP IP network Chinal69 Guangzhou MAN. For 
instance, xtsd20090815 .com/youtube.com/xexe.php 

redirects to the actual IP 221.5.74.46 
/redirectsoft/go/fb2.php with piupiu- 
110809.com/achcheck.php, 

web.reg.md /l/[15]prx90.exe and web.reg.md/1 
/[16]prx90.exe as phone back locations. 


Two new compo¬ 


nents are dropped DDnsFilter.dll - MD5: 
0x8904BCEBACB2B878FF46C5EB0C5C57EB and 

DnsFilter.sys - MD5: 

0x30DD915396E46824DA92FE70485F7CF8 which 
[17]prevent infected users from interacting with antivirus 
vendor 

sites. 
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UPDATE2: The gang has responded to the take down 
activities, by using the only IP that wasn't shut down 
221.5.74.46, with piupiu-110809 .com, upr200908013 
.com, and upr200908013 .com already moved there. 

Interestingly, now that the gang's centralized domains used 
in the majority of campaigns are not responding thanks the 
quick reaction of BlueConnex, they've started embedding 
up to 15 iFrames directly loading IPs from the Koobface 
botnet. The script is detected as Trojan- 
Clicker.HTML.IFrame.a. The pattern? Each and every host is 
serving the fake Facebook page from a similar directory - 
/0x3E8/. 221.5.74.46 is in a process of getting shut down. 

UPDATE: Three hours after notification, Blue Square Data 
Group Services Limited ensures that" the customer has 
been disconnected permanently". It's a fact. All of Koobface 
worm's campaigns currently redirect to nowhere. Let's see 
for how long. 


Kuku Ruku Koobface! What does Koobface has to do with a 
legendary cocoa cream wafer [18]Koukou Roukou 

sold in the 90's? It's one of new domains introduced over 
the past seven days (kukuruku-290709 .com now offline 
thanks to community efforts). 

What is the [19]Koobface gang up to [20]anyway? Despite 
that they've randomized the automatically gener¬ 
ated directories on the compromised sites 

(kimchistory.freevar .com/fantasticfilms; 
tastemasters .ca/freeemOvie; simonsoderberg 
.se/mmymOvies; ekespangs .se/meggavideO; 
akesheronline .com/privaleshOw; belljarstudio 

.com/bestttube), the gang continues relying on 
centralized hosting for its campaigns. 
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During the week, they've migrated from 67.215.238 
.178/redirectsoft/go/fb _s.php (PacificRack.com) to 
85.234.141 

.92/redirectsoft/go/fb _s.php (BlueConnex Ltd), 
interestingly, they did so with all of the their currently 
active domains, the ones used as central redirection points 
on the thousands of legitimate/malicious sites participating 
in their campaigns. Interestingly, merely suspending a 
domain name wouldn't get you [21]a personal greeting from 

the Koobface gang, since they'll basically register a new 
one. Getting them kicked out of several different hosting 


providers simultaneously would. Upon having their newly 
pushed domains shut down, the gang stopped using 

domains and switched to the original IP of their hosting 
provider, once again requiring a direct ISP action, instead of 
domain registar's one. 

Koobface C &C, central malware campaign domains 
suspended through community efforts: 

- glavnij20090809 .com - Email: bigvillyxxx@gmail.com 
was parked at 85.234.141.92 

- kukuruku-290709 .com - Email: 
kuku.ruku.pam@gmail.com was parked at 85.234.141.92 

- superturbo20090809 .com - Email: 
bigvillyxxx@gmail.com was parked at 85.234.141.92 
([22]Super Turbo is yet another legendary product sold in 
the 90's) 

- bombimbom20090809 .com - Email: 
bigvillyxxx@gmail.com was parked at 85.234.141.92 
([23]Bombi Bom is also a classic chewing gum sold in the 
90's in Europe/Eastern Europe) 

- mishkigammy-060809.com - Email: 
kuku.ruku.pam@gmail.com was parked at 85.234.141.92 
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Currently active Koobface C &C domains, also participating 
in the CAPTCHA-solving, malware campaigns: 

- piupiu-110809 .com - 85.234.141.92 


- xtsd20090815 .com - 85.234.141.92 - Email: 
bigvillyxxx@gmail.com 

- boomer-110809 .com - 85.234.141.92 

- upr200908013 .com - 85.234.141.92 - Email: 
kfmnmkswrnkcxlgpfdxb68@gmail.com 

- suzll082009 .com - 85.234.141.92 - Email: 
xxmgbtwgdhyv@gmail.com 

- upr0306 .com - 221.5.74.46 China Unicom Guangdong 
province network - Email: bigvillyxxx@gmail.com 

- findhereandnow .com - 85.234.141.92 - Email: 
bigvillyxxx@gmail.com 

The CAPTCHA solving process on behalf of the infected 
victims, is exclusively targeting Google web proper¬ 
ties (piupiu-110809 

.com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754 

a519194.jpg) 

Koobface worm's 

captcha7.dll module is active at: 

- glavnij20090809 .com/cap/?a=get &i = l &v=7 

- suzll082009 .com/cap/?a=get &i=3 &v=7 

- boomer-110809 .com/cap/?a=get &i=4 &v=7 

- piupiu-110809 .com/cap/?a=get &i = 2 &v=7 

BlueConnex Ltd has been notified. The Koobface gang 
continues enjoying the largest market share of system- 



atic Web 2.0 abuse 


Related posts: 

521 

[24] Movement on the Koobface Front 

[25] Koobface - Come Out, Come Out, Wherever You Are 

[26] Dissecting Koobface Worm's Twitter Campaign 

[27] Dissecting the Koobface Worm's December Campaign 

[28] Dissecting the Latest Koobface Facebook Campaign 

[29] The Koobface Gang Mixing Social Engineering Vectors 
Ukrainian "fan club" and the Koobface connection: 

[30] Dissecting a Swine Flu Black SEO Campaign 

[31] Massive Blackhat SEO Campaign Serving Scareware 

[32] From Ukrainian Blackhat SEO Gang With Love 

[33] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[34] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[35] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[36] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 
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6th SMS Ransomware Variant Offered for Sale (2009- 
08-24 18:14) 

" Your copy of Windows has been blocked! You're using an 
unlicensed version of it! In order to continue using it, you 










































must receive the unlock key. AH you have to do is follow 
these steps: You must send a SMS message. You will receive 
an activation code once you do so. Enter the code and 
unlock your copy of Windows. " 

Anticipating the potential for monetization, cybercriminals 
are investing more time and resources into coming 

up with new features for their SMS based ransomware 
releases. Two of the very latest releases indicate their 

motivation and long-term ambitions into this newly 
emerged micro-payment ransomware channel. 

What's new, is the social engineering element, the self¬ 
replication potential through removable media, and 

the contingency planning through the use of multiple SMS 
numbers in case one of the numbers gets shut down. 

Let's go through some of the features of two newly released 
SMS ransomware variants offered for $20, and $30 

respectively. 

What's worth emphasizing on in respect to the first release, 
is that it's Windows 7 compatible, and is the first SMS 
ransomware that allows scheduled lock down after infection 
- presumably, the author included this feature in order to 
make it harder for the victim to recognize how he got 
infected at the first place - as well as multiple SMS 

numbers for contingency planning. 

Key features include: 


- Clean interace 



- Bypasses Safe Mode 


- Locks down the taskbar or any combination of keys that 
could allow a user to close the application 

- The error message can be customized 
524 


12 


- Ability to use multiple-unlock codes 

- Ability to use multiple SMS numbers from where the 
activation code will be obtained 

- Ability to lock the system immediately upon infection, or 
after a given period of tim 

- Auto-starting features, self-removal upon entering the 
correct activation code, and ensuring that the victim would 
no longer be infected with this release through the use of 
mutex-es. 

- This SMS ransomware is Windows 7 compatible 

The majority of SMS based ransomware is relying on the 
"Unlicensed Windows Copy" theme, but the first self- 
replicating through removable media propagation such 
ransomware is signaling a trend to come - social 
engineering throuhg impersonation in a typical scareware 
style. This release can be easily described as the first 
scareware with micro-payment ransom element offered for 
sale. 
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Basically, it attempts to impersonate Kaspersky Lab 
Antivirus Online and trick the infected user into thinking 
that Kaspersky has detected a piece of malware, has 
blocked it but since the malware changes its encryption 
algorithm the user has to send a SMS costing 150 rubles in 
order to receive the SMS that will block the malware. 
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This release also includes a timer, and a message explaining 
that re-installing Windows wouldn't change the situation in 
an attempt to further trick the user into sending the 
messsage. The release is exclusively released for Windows 
XP 

and is not Windows Vista compatible. 

Cybercriminals are known to understand the benefits of 
converging different successful and well proven tac¬ 
tics across different propagation/infection vectors. Now that 
we've seen [l]scareware with elements of ransomware, as 
well as [2]hijacking a browser session's ads and 

[3] demanding ransom to remove the adult content, it's only 
a matter of time to witness a micro-payment driven 
scareware campaign distributed through blackhat SEO and 
the 

usual channels. 

Related posts: 

[4] 5th SMS Ransomware Variant Offered for Sale 

[5] 4th SMS Ransomware Variant Offered for Sale 


[6] 3rd SMS Ransomware Variant Offered for Sale 

[7] SMS Ransomware Source Code Now Offered for Sale 

[8] New ransomware locks PCs, demands premium SMS for 
removal 

This post has been reproduced from [9]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p = 3Q14 

2. http://www.svmantec.com/connect/blo a s/lavers- 
tro i anransom paae 

3. httos://www- 

secure.svmantec.com/connect/blo a s/browsers-and-ransoms 

4. http://ddanchev.blo as pot.com/20Q9/Q7/5th-sms- 
ransomware-variant-offered-for.html 
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ransomware-vanant-offered-for.html 

6. http://ddanchev.blo as pot.com/2009/Q5/3rd-sms- 
ransornware-variant-offered-for.html 

7. http://ddanchev.blo as pot.com/20Q9/Q5/sms-ransomware- 
source-code-now-offered.html 
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Summarizing Zero Day's Posts for August (2009-09- 
01 15:46) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for August. 

You can also go through previous summaries for [2]July, 
[3]June, [4]May, [5]April, [6]March, [7]February, [8]January, 

[9]December f [10]November f [ll]October f [12]September, 
[13]August and [14]July, as well as subscribe to my 

[15]personal RSS feed or [16]Zero Day's main feed. 

Notable articles include - [17]Does Twitter's malware link 
filter really work?; [ 18]IE8 outperforms competing 

browsers in malware protection - again, and [19]Research: 
80 % of Web users running unpatched versions of 

Flash/Acrobat 

01. [20]Dead-finger tech: 3G USB Modem, Prestigio 
Powerbank 501 

02. [21]Does Twitter's malware link filter really work? 

03. [22]Fake Microsoft patch malware campaign makes a 
comeback 


04. [23]Plugins compromised in SquirrelMail's web server 
hack 

05. [24]Absolute Software downplays BIOS rootkit claims 

06. [25]Federal forms themed blackhat SEO campaign 
serving scareware 
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07. [26]Microsoft's Bing invaded by pharmaceutical 
scammers 

08. [27]Campaign Monitor hacked, accounts used for 
spamming 

09. [28]New Mac OS X DNS changer spreads through social 
engineering 

10. [29]IE8 outperforms competing browsers in malware 
protection - again 

11. [30]Research: 80 % of Web users running unpatched 
versions of Flash/Acrobat 

12. [31]The most dangerous celebrities to search for in 
2009 

13. [32]Source code for Skype eavesdropping trojan in the 
wild 

14. [33]Snow Leopard's malware protection only scans for 
two trojans 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2009/Q8/summarizin a- 
zero-da vs- posts-fon ul v.html 









3. http://ddanchev.blo as DOt.com/2QQ9/Q7/summarizin a- 
zero-da vs- POSts-foN une.html 

4. http://ddanchev.blo as pot.com/2QQ9/Q6/summarizin a- 
zero-da vs- posts-for-mav.html 

5. http://ddanchev.blo as pot.com/2QQ9/Q5/summarizin a- 
zero-da vs- POSts-for-april.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q3/summarizin a- 
zero-da vs- posts-for-march.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q3/summarizin a- 
zero-da vs- posts-for.html 

8. http://ddanchev.blo as pot.com/20Q9/Q2/summarizin a- 
zero-da vs- posts-for- i anuarv.html 

9. http://ddanchev.blo as pot.com/2QQ9/Ql/summarizin a- 
zero-da vs- posts-for.html 

10. http://ddanchev.blo as pot.com/2QQ8/12/summarizin a- 
zero-da vs- posts-for.html 

11. http://ddanchev.blo as pot.com/2QQ8/ll/summarizin a- 
zero-da vs- posts-for-october.html 

12. http://ddanchev.blo as pot.com/2QQ8/lQ/summarizin a- 
zero-da vs- posts-for.html 

13. http://ddanchev.blo as pot.com/2QQ8/Q9/summarizin a- 
zero-da vs- posts-for-au a ust.html 

14. http://ddanchev.blo as pot.com/2QQ8/Q8/summarizin a- 
zero-da vs- posts-for- j ul v.html 
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22. htto://blo a s.zdnet.com/securit v/? o=3916 
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24. http://blo a s.zdnet.com/securit v/? p=3936 

25. htto://blo a s.zdnet.com/securit v/? p=3962 

26. htto://blo a s.zdnet.com/securit v/? p=3993 

27. http://blo a s.zd net.com/secu rit v/? o=4007 

28. http://blo a s.zdnet.com/securit v/? p=4024 

29. http://blo a s.zdnet.com/securit v/? p=4072 
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SMS Ransomware Displays Persistent Inline Ads 
(2009-09-03 15:14) 

SMS-based micro-payments are clearly becoming the 
monetization channel of choice for the majority of 
cybercriminals engaging in ransomware campaigns. The 
logic behind this emerging trend is fairly simple, and as 
everything else in the cybercrime underground these days, 
it has to do with efficiency. 

Compared to micro-payments, the 2008's [ljmonetization 
channel used by GPcode in terms of E-gold and Lib¬ 
erty Reserve accounts communicated over email - with 
cases where the gang wasn't even bothering to respond 

to infected victims looking for ways to pay the ransom - 
looks like a time-consuming and largely inefficient way to 

"interact" with the victims. 

Another recently released [2]SMS-based ransomware 
showing persistent ads within the [3]browser sessions of 

infected victims, and demanding a premium-rate SMS for 
removal, is the very latest indication of the micro-payment 
monetization channel trend. 
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The DIY ransomware is offered for sale at $100, with the 
typical "value-added" services in the form of managed 
undetected binaries through crypting. Since the command 
and control interface is web based (php + mysql), the 


author is actively experimenting with new features such as 
scheduled appearing of the ads, inventory of banners and 
affiliate program links, and the ability to use multiple SMS 
numbers next to multiple unlocking codes. 

Are the currently active ransomware "vendors" trendsetters 
or are they still in experimental mode? 

The business model of SMS-based ransomware is clearly 
lucrative, especially in situations where cybercrimi¬ 
nals are known to combine two or three different 
monetization tactics. 

However, compared to the [4]high 

profit-margins which cybecriminals earn through the 
scareware business model, SMS-based ransomware remains 
a 

developing market segment. 

Related posts: 

[5] 6th SMS Ransomware Variant Offered for Sale 

[6] 5th SMS Ransomware Variant Offered for Sale 

[7] 4th SMS Ransomware Variant Offered for Sale 

[8] 3rd SMS Ransomware Variant Offered for Sale 

[9] SMS Ransomware Source Code Now Offered for Sale 

[10] New ransomware locks PCs, demands premium SMS for 
removal 


[ll]Who's Behind the GPcode Ransomware? 



[12]ldentifying the Gpcode Ransomware Author 

This post has been reproduced from [13]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as DOt.com/20Q8/Q6/whos-behind- 
g pcode-ransomware.html 

2. http://www.svmantec.com/connect/blo a s/browsers-and- 
ransoms 

3. http://www.svmantec.com/connect/blo a s/lavers- 
tro i anransom paae 

4. http://ddanchev.blo as pot.com/2009/Q4/confickers- 
scarewarefake-securifv.html 

5. http://ddanchev.blo as pot.com/2Q09/Q8/6th-sms- 
ransomware-vanant-offered-for.html 

6. http://ddanchev.blo as pot.com/2009/Q7/5th-sms- 
ransomware-vanant-offered-for.html 

7. http://ddanchev.blo as pot.com/2009/Q7/4th-sms- 
ransomware-variant-offered-for.html 


8. http://ddanchev.blo as pot.com/2009/Q5/3rd-sms- 
ransomware-variant-offered-for.html 
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9. http://ddanchev.blo as pot.com/2009/Q5/sms-ransomware- 
source-code-now-offered.html 


10. http://blo a s.zdnet.com/securit v/? p=3197 

11. http://ddanchev.blo as pot.com/2008/Q6/whos-behind- 
g pcode-ransomware.html 







































12. http://ddanchev.blo os pot.com/2008/Q9/identifvin o- 
g pcode-ransomware-author.html 

13. http://ddanchev.blo gs pot.com/ 
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SMS Ransomware Displays Persistent Inline Ads 
(2009-09-03 15:14) 

SMS-based micro-payments are clearly becoming the 
monetization channel of choice for the majority of 
cybercriminals engaging in ransomware campaigns. The 
logic behind this emerging trend is fairly simple, and as 
everything else in the cybecrime underground these days, it 
has to do with efficiency. 

Compared to micro-payments, the 2008's [ljmonetization 
channel used by GPcode in terms of E-gold and Lib¬ 
erty Reserve accounts communicated over email - with 
cases where the gang wasn't even bothering to respond 

to infected victims looking for ways to pay the ransom - 
looks like a time-consuming and largely inefficient way to 

"interact" with the victims. 

Another recently released [2]SMS-based ransomware 
showing persistent ads within the [3]browser sessions of 

infected victims, and demanding a premium-rate SMS for 
removal, is the very latest indication of the micro-payment 
monetization channel trend. 
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The DIY ransomware is offered for sale at $100, with the 
typical "value-added" services in the form of managed 
undetected binaries through crypting. Since the command 
and control interface is web based (php + mysql), the 

author is actively experimenting with new features such as 
scheduled appearing of the ads, inventory of banners and 
affiliate program links, and the ability to use multiple SMS 
numbers next to multiple unlocking codes. 

Are the currently active ransomware "vendors" trendsetters 
or are they still in experimental mode? 

The business model of SMS-based ransomware is clearly 
lucrative, especially in situations where cybercrimi¬ 
nals are known to combine two or three different 
monetization tactics. 

However, compared to the [4]high 

profit-margins which cybecriminals earn through the 
scareware business model, SMS-based ransomware remains 
a 

developing market segment. 

Related posts: 

[5] 6th SMS Ransomware Variant Offered for Sale 

[6] 5th SMS Ransomware Variant Offered for Sale 

[7] 4th SMS Ransomware Variant Offered for Sale 

[8] 3rd SMS Ransomware Variant Offered for Sale 


[9] SMS Ransomware Source Code Now Offered for Sale 

[10] New ransomware locks PCs, demands premium SMS for 
removal 

[11] Who's Behind the GPcode Ransomware? 

[12] ldentifying the Gpcode Ransomware Author 

This post has been reproduced from [13]Dancho Danchev's 
blog. 
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News Items Themed Blackhat SEO Campaign Still 
Active (2009-09-07 22:42) 

According to a [l]blog post at PandaLabs, a massive and 
very persistent blackhat SEO campaign exclusively 
hijacking 

11 hot BBC and CNN news 11 related keywords has once again 
popped-up on their radars. [2]The campaign itself has been 
active since April, when I last analyzed it. 

What has changed? 

Instead of relying on purely malicious domains, the 
[3]Ukrainian fan club, the one with the Koobface connec¬ 
tion, remains the most active blackhat SEO group on the 
Web, and due to the quality of the historical OSINT making 
it possible to detect their activity - [4]practice which 
prompts them to [5]insuIt back - they're also starting to put 
efforts into making it look like it's another group. 
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However, knowing the tools and tactics that they use, next 
to evident efficiency-centered mentality, they continue 
leaving minor leads that make it possible to establish a 
direct relationship between the group, the Koobface worm 
and the majority of blackhat SEO campaigns launched 
during the last couple of months across the entire Web. 

The "News Items" themed blackhat SEO campaign is also 
serving scareware from the domains already participating in 
the U.S Federal Forms themed blackhat SEO campaign, 
what's new is the typical dynamic change of the 

redirectors in place. 
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Let's dissect a sample campaign currently parked at 
[6]coolinc.info. Once the http referrer checks are met, 

bernie-madoff.coolinc . info/fox-2 5-news, html 

executes the campaign through a static images/ads.js 
located on all of the subdomains participating in campaign 

(bernie-madoff.coolinc .info/images/ads.js; eenadu- 
epaper.hmsite 

.net/images/ads.js) with generic detection triggered only 
by Sophos as Mal/ObfJS-CI. 

Through a series of redirectors - usanews2009 
.com/index.php - 78.46.129.170 - Email: 
derrick2@rmail.ru; 

newscnn2009 .com/index.php - 193.9.28.62 - Email: 


derrick2@mail.ru; cnnnews2009 .com/index.php - 

91.203.146.38 - EMail: derrick2@mail.ru; the user is 
redirected to the scareware domain through justintim- 

berlakestream .com/?pid=95 &sid=4e6ffe- 
193.169.12.70; Email: info@zebrainvents.com. 

The [7]scareware itself (phones back to 
worldrolemodeling .com/?b=lsl - 193.169.12.71) is 
[8]dynamically served through 78.46.201.89; 
193.169.12.70 and 92.241.177.207 with an diverse portfol 
of fake security software domains parked there. 
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Parked at 92.241.177.207 are: 

best-scanpc .com 
bestscanpc .org 
downloadavr2 .com 
downloadavr3 .com 
trucount3005 .com 
antivirus-scan-2009 .com 
antivirusxppro-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virusremover-2009 .com 


advanced-virus-remover2009 .com 


advanced-virusremover2009 .com 
best-scanpc .com 
bestscanpc .com 
xxx-white-tube .com 
rude-xxx-tube .com 
blue-xxx-tube .com 
trucountme .com 
10-open-davinci .com 
vs-codec-pro .com 
vscodec-pro .com 
1-vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 
bestscanpc .info 
bestscanpc .net 
nsl.megahostname .biz 
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ns2.megahostname .biz 

Parked at 78.46.201.89 (IP used in the [9]U.S Federal Forms 
themed blackhat SEO campaign) are also: 

virscan-onlinel .com 

virscan-livel .com 

antivirus-promo-scanl .com 

valueantivirusshopl .com 

megaspywarescan2 .com 

worldbestonlinescanner2 .com 

hqvirusscanner2 .com 
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warningmalwarealert2 .com 
totalspywarescan3 .com 
antivirus-promo-scanner3 .com 
bewareofvirusattacks3 .com 
totalspywarescan4 .com 
worldbestonlinescan5 .com 
megaspywarescan5 .com 
totalspywarescan5 .com 


hqvirusscanner5 .com 
warningmalwarealert5 .com 
hqvirusscanner8 .com 
antivirus-promo-scan9 .com 
worldbestonlinescan9 .com 
antivir-scan-my-pc .com 
antivir-scan-online .com 
remove-all-pc-adware .com 
antivir-my-pc-scan .com 
leading-malware-scan .com 
leading-antispyware-scan .com 
antivirus-promo-scan .com 
tryantivir-scan .com 
leading-antivirus-scan .com 
megaspywarescan .com 
totalspywarescan .com 
worldsbestantivirscan .com 
awardantivirusscan .com 
winningantivirusscan .com 
tryantivirusscan .com 



worldsbestscan .com 


tryantivir-scanner .com 
worldbestonlinescanner .com 
tryantivirscanner .com 
tryantivirusscanner .com 
hqvirusscanner .com 
worldsbestscanner .com 
antivirscanmycomputer .com 
warningvirusspreads .com 
bewareofvirusattacks .com 
secure.web-software-payments .com 
warningmalwarealert .com 
warningspywarealert .com 
warningvirusalert .com 
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Parked at 193.169.12.70 are also more scareware 
domains/payment gateways/malware redirectors used in the 

campaign: 

colonizemoon2010 .com 


blastertroops2011 .com 
virscan-onlinel .com 
virscan-livel .com 
antivirus-promo-scanl .com 
valueantivirusshopl .com 
megaspywarescan2 .com 
worldbestonlinescanner2 .com 
hqvirusscanner2 .com 
warningmalwarealert2 .com 
antivirus-promo-scanner3 .com 
bewareofvirusattacks3 .com 
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totalspywarescan4 .com 
worldbestonlinescan5 .com 
megaspywarescan5 .com 
totalspywarescan5 .com 
hqvirusscanner5 .com 
warningmalwarealert5 .com 
hqvirusscanner8 .com 
antivirus-promo-scan9 .com 



worldbestonlinescan9 .com 
antivir-scan-my-pc .com 
becomemybestfriend .com 
bravemousepride .com 
antivir-scan-online .com 
emphasis-online .com 
justseethisonline .com 
futureshortsonline .com 
remove-all-pc-adware .com 
waitforsunrise .com 
funpictureslive .com 
justintimberlakestream .com 
antivir-my-pc-scan .com 
leading-malware-scan .com 
leading-antispyware-scan .com 
antivirus-promo-scan .com 
tryantivir-scan .com 
leading-antivirus-scan .com 
totalspywarescan .com 
worldsbestantivirscan .com 



awardantivirusscan .com 
winningantivirusscan .com 
tryantivirusscan .com 
worldsbestscan .com 
tryantivir-scanner .com 
worldbestonlinescanner .com 
tryantivirscanner .com 
tryantivirusscanner .com 
hqvirusscanner .com 
worldsbestscanner .com 
antivirscanmycomputer .com 
obbeytheriver .com 
obamanewterror .com 
warningvirusspreads .com 
watch2010movies .com 
primeareanetworks .com 
investmenttooltips .com 
executive-officers .com 
newsoverworldhot .com 
management-overview .com 



justthingsyouneedtoknow .com 
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criticalmentality .com 

In between the central redirectors, counters from known 
domains affiliated with the Ukrainian fan club are 

also embedded as iFrames - sexualporno 
.ru/admin/red/counter2.html (74.54.176.50; Email: 
skypixre@nm.ru) leading to sexualporno 
.ru/admin/red/mwcounter.html. Parked on 
[10]74.54.176.50 are related domains that were once using 
the [ll]ddanchev-suck-my-dick.php redirection, such as 
sexerotika2009 .ru; celki2009 .ru; seximalinki 

.ru and videoxporno .ru, as well as the de-facto counter 
used by the gang - c.hit.ua/hit?i = 6001. 

Does this admin/red directory structure ring a bell? But, of 
course. In fact the ddanchev-suck-my-dick redirectors 
originally introduced by the Ukrainian fan club are still in 
circulation - for instance not only is videoxporno 

.ru/admin/red/ddanchev-suck-my-dick.php (parked at 
the very same 74.54.176.50) still active, but the gang has 
pushed an update to all of their campaigns, once again 
establishing a direct connection between previous ones and 
the ongoing "News Items" themed one. 

The ddanchev-suck-my-dick.php file has a similar Mac, 
Firefox and Chrome check just like the U.S federal forms 
themed campaign, and the original "Hot News" themed 


campaigns - if (navigator.appVersion.indexOf("Mac")!=-l) 
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win do w. I oca tion="h ttp ://www. zmi. com/?did=5663 

The script also includes a central iFrame from the now 

known malicious coolinf .info - dash-store.coolinc 
.info/images/levittpedofil.html which redirects to 

1008. myhome 

.tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 

1009. wo .tc/8/ss.php to finally load the now known 

justintimberlakestream .com/?pid=42 &sid = 8f68b5 

The bottom line - the Ukrainian "fan club" is a very decent 
example of a multitasking cybecrime enterprise that is not 
only systematically abusing all the major Web 2.0 services, 
but is also directly involved with [ 12]the Koobface botnet. 

Monitoring of their campaigns, and take down actions would 
continue. 

Related posts: 

[13] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign 

[14] U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding 

[15] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 

[16] A Peek Inside the Managed Blackhat SEO Ecosystem 

Historical OSINT of the group's blackhat SEO 
campaigns pushing Koobface samples, and the 



connections be¬ 


tween the campaigns: 

[17] Movement on the Koobface Front - Part Two - detailed 
account of the domain suspension and direct ISP take 

down actions against the gang during the last month 

[18] Movement on the Koobface Front 

[19] Koobface - Come Out, Come Out, Wherever You Are 

[20] Dissecting a Swine Flu Black SEO Campaign 

[21] Massive Blackhat SEO Campaign Serving Scareware 

[22] From Ukrainian Blackhat SEO Gang With Love 

[23] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[24] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[25] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[26] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 
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Ukrainian "Fan Club" Features Malvertisement at 
NYTimes.com (2009-09-14 20:04) 

If my [l]Ukrainian "fan club" can [2]exploit weaknesses in 
the online [3]ad publishing model for scareware [4]serving 
purposes, anyone else could. 

Yesterday, the NYTimes.com posted a [5]note to readers, 
confirming that a malvertisement campaign some¬ 
how made on their web site, resulting in the automatic 
exposure of users to scareware: 

11 Some nytimes.com readers have reported seeing a pop-up 
box warning them about a virus and directing them to a site 
that claims to offer antivirus software. We believe this was 
generated by an unauthorized advertisement and are 
working to prevent the problem from recurring. If you see 
such a warning, we suggest that you not dick on it. 

Instead, quit and restart your Web browser. " 
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Who's behind this malvertising campaign? Let the data 
speak for itself. 

According to [6]a published assessment of the campaign, 
the redirector and scareware domains involved in 

the malvertising incident are also in circulating in 
[7]blackhat SEO campaigns courtesy of the Ukrainian gang 
(the post is updated daily with the very latest redirector and 
scareware domains pushed by the gang). 

In the NYTimes.com malvertising attacks, that's sex-and- 
the-city .cn (parked at [8]94.102.48.29 where the rest of 
their redirectors are) acting as redirector leading to the 
protection-check07 .com scareware, parked on the very 
same IPs ([9]91.212.107.5; 94.102.51.26; 88.198.107.25) 
like the rest of the new [10]scareware domains 

systematically updated once or twice during a 24 hours 
period, again courtesy of the "fan club". 

The [11]last sample in circulation, phones back to 

windowsprotection-suite .net - Email: 

gertrudeedick- 

ens@text2re.com; mysecurityguru .cn - 64.86.16.170 - 
Email: andrew.fbecket@gmail.com also maintains secure- 
pro 

.cn; and to securemysystem .net - Email: 
gertrudeedickens@text2re.com 
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The [12]NYTimes.com malvertisement assessment also 
highlights tradenton .com - 212.117.166.69 - Email: 

shawn@tradenton.com as the domain used in the ad 
rotation. Interestingly, related malvertisement domains 

managed by the same gang, have already been reported in 
[13]related malvertising attacks, are also parked on the 
same IP: 

relunas .com - Email: admin@relunas.com 

kennedales .com - Email: admin@kennedales.com 

harlingens .com - Email: admin@harlingens.com 

newadsresults .com - Email: ritaj@gmail.com 

waveadvert .com - Email: lindahg@yahoo.com 

As always, what would originally seem as an isolated 
incident orchestrated by yet to be analyzed cybecrime 

gang, is in fact a great example of [14]underground 
multitasking in action through the convergence of 
[ 15]different attack tactics, courtesy of a single cybercrime 
enterprise. 

Related malvertising posts: 

[16] Malicious Advertising (Malvertising) Increasing 

[17] MSN Norway serving Flash exploits through 
malvertising 

[18] Fake Antivirus XP pops-up at Cleveland.com 

[19] Scareware pops-up at FoxNews 
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Koobface Botnet's Scareware Business Model (2009- 
09-16 20:45) 

UPDATE1: TrendMicro just confirmed the ongoing 
[l]double-layer monetization of Koobface. Meanwhile, the 
gang is rotating the scareware domains with new ones 




































pushed by popup.php, followd by two recently updated 
Koobface 

components. 

The [2]new scareware domains kjremover .info; Irxsoft 
.info - 212.117.160.21 - Email: niclas@i.ua actually 

[3]download it from the well known q2bf0fzvjb5ca .cn 
portfolio, which phones back to the same domains listed 
previously, with only a slight change in the filename - 

urodinam .net/8732489273.php. The generic detection 
rate for the updated components (61.235.117.83 
/bin/[4]get.exe; 61.235.117.83 

/bin/[5]v2webserver.exe) with get.exe phoning back to a 
domain parked at the takedown-proof, China-based 

61.235.117.83, in particular gdehochesh 

.com/ad m/index, php. 

Just like Conficker, the [6]Koobface botnet is no stranger to 
the [7]scareware business model and the poten¬ 
tial for monetization of the hundreds of thousands of 
infected hosts. 

However, changes made in the campaign structure of the 
Koobface botnet during the last couple of days, indi¬ 
cate that the Koobface gang has embedded a pop-up at 
each and every host that's automatically rotation different 
scareware brands. They're now officially monetizing 
the botnet using a scareware business model. 

Let's analyze the latest changes introduced by the Koobface 
gang over the last couple of days and emphasize 
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on the monetization tactics introduced by the gang. 

[8]Next to [9]insulting, showing [10]gratitude, the 
[ll]Koobface gang also has a (black) sense of humor - 
within one of the directories at the takedown-proof 
command and control used by the gang in China 
([12]61.235.117.83; at 

61.235.117.83/bin in particular) they've left the following 
message " 2008 ali baba and 40, LLC". [13]Ali Baba and 
the Forty Thieves is a 1944 film based on the original [14]Ali 
Baba character. 

Compared to previous campaigns relying on centralized 
command and control and redirection points - making 

them easy to shut down - the ongoing Facebook campaigns 
are dynamically redirecting to IPs within the Koobface 

network, which combined with their use of compromised 
legitimate sites is supposed to make the take down of their 
campaigns a bit more time consuming. 
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That's, of course, not the case since undermining their 
monetization approaches undermines the monetary value of 
their campaigns, which is what they're after this time. The 
Koobface gang has now embedded a single line within each 
and every infected host used in the campaign, in order to 
not only attempt to infect new visitors with the Koobface 


malware itself, but to also trick them into installing the 
scareware which is rotated as usual. 

dangerWindAdr = 61.235.117.83/ popup.php loads on 
each and every Facebook spoof page part of the bot¬ 
net and is then redirecting the most popular scareware 
template, the My computer Online Scan. 
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The first scareware domain used in the last 48 ryacleaner 
.info/hitin.php?affid=02979 (212.117.160.211 parked 
there as also eljupdate .info Email: niclas@i.ua and 
dercleaner .info Email: niclas@i.ua) was serving 
setup.exe which is downloading the actual [15]scareware 
executable from mt3pvkfmpi7de .cn/get.php?id=02979 
(220.196.59.23). 

What's so special about this domain? It was last profiled in 
the [16]A Diverse Portfolio of Fake Security Software - 

Part Twenty Three with the entire portfolio of .cn domains 
parked at the same IP registered under the same email - 

robertsimonkroon@gmail.com. 

The second scareware domain pushed by the Koobface 
during the last 24 hours, gotrioscan .com/?uid=13301 

- 91.212.107.103 - momorule@gmail.com redirects to 
plazec .info/22/?uid = 13301 - 91.212.107.103 - Email: 
bebrashe@gmail.com where the [17]scareware is served. 
Parked at the same IP is the rest of thescareware domains 
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portfolio pushed by Koobface: 

in5id .com 
in5ch .com 
goscanback .com 
goscanlook .com 
gofatescan .com 
goeachscan .com 
gobackscan .com 
goironscan .com 
gotrioscan .com 
ia-pro .com 
iantivirus-pro .com 
iantiviruspro .com 
windoptimizer .com 
woptimizer .com 
in5cs .com 
wopayment .com 
in5st .com 
zussia .info 
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plazec .info 
gaudad .info 
voided .info 
gelded .info 
tithed .info 
botled .info 
tented .info 
fatted .info 
unowed .info 
wzand .info 
searce .info 
prarie .info 
meyrie .info 
pittie .info 
penvie .info 
figgle .info 
sawme .info 
droope .info 


haere .info 


scarre .info 
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undeaf .info 
adjudg .info 
wiving .info 
slatch .info 
bedash .info 
dolchi .info 
sighal .info 
devicel .info 
knivel .info 
freckl .info 
scrowl .info 
usicam .info 
spelem .info 
vagrom .info 
numben .info 
speen .info 
krapen .info 


a twain .info 
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declin .info 
inclin .info 
unclin .info 
towton .info 
grumio .info 
stampo .info 
extrip .info 
polear .info 
benber .info 
kedder .info 
erpeer .info 
argier .info 
fulier .info 
lavyer .info 
inquir .info 
orodes .info 


faites .info 


beeves .info 


quoifs .info 
filths .info 
broths .info 
nevils .info 
swoons .info 
sallat .info 
a pa let .info 
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reglet .info 
camlet .info 
plamet .info 
hownet .info 
fosset .info 
cuplift .info 
raught .info 
holdit .info 
unroot .info 
unwept .info 


anmast .info 


ticedu .info 
outliv .info 
onclew .info 
froday .info 
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mayray .info 
tenshy .info 
steepy .info 
miloty .info 
debuty .info 
fifthz .info 
potinz .info 
caretz .info 
narowz .info 

What do these two scareware executables have in common? 
Its the phone back locations that the Koobface gang is 

using, reveling its participation in a scareware affiliate 
network called Crusade Affiliates. 
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The first phone back location urodinam.net /dfgsdfsdf 
.php - 122.224.9.67 adds a .bat file which would attempt to 
obtain mshta.exe from urodinam.net/33t .php? 
stime=1253063118 on hourly basis. The second phone 
back location is the Crusade Affiliates network that shares 
revenue with the Koobface gang whenever a scareware 
pushed by the gang is purchased - crusade-affiliates 
.com/install.php?id=02979 - 85.17.139.149. 

The third phone back location is a direct download attempt 
of [18]FraudTool.Win32.SecretService; RogueAn- 

tiSpyware.PrivacyCenter.AJ from 0ni9ols3feu60 
.cn/u4.exe - 220.196.59.23. It's pretty evident that the 
Koobface botnet is now relying on multiple layers of 
monetization approaches. 

The Koobface gang has been pretty during the last couple of 
days. 

The following list of Koobface malware 

spreading domains are in circulation across social 
networking sites since the last 48 hours, consisting of a 
combination of purely malicious and compromised 
legitimate sites: 

3sss .com/youtube.com 

4bond .it/youtube.com 

ac2j .com/freeemOvies 

acedl979 .freehostia.com/yOurfilm 

alexandrialocksmith .net/uncensOredvideO 


alpha.kei .pl/amalzlngfilms 
alruwaithy .com/extrlmeperfOrmans 
astoundeddesign .com/privaledemOnstration 
awwfuck .me/fuunnyactiOn 
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baddog.me .uk/uncensOredclip 
bbckzoo .com/extrlmedwd 
bbckzoo .com/mmyperfOrmans 
be. la/freeefilms 
bencaputoprinting .com/cOOIfilm 
bicentenario.sc49 .info/mmyfilm 
bighornrivercabins .com/cOOIvIds 
biskopsto .fo/fantaSticmOvie 
bloch-data .dk/cOOIvlds 
bokongerslev .dk/amalzlngmOvie 
bokongerslev .dk/extrlmeactiOn 
book-daImose .dk/extrlmeperfOrmans 
campionariadigalatina .it/youtube.com 
carlamo .com/extrlmeclip 


centerforyourhealth .com/extrlmemOvies 
centralbaptist.org .au/fantasticvideO 
certtiletechs .com/fuunnymOvies 
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cisaimpianti .net/youtube.com 

claykelley .net/extrlmevlds 

claykelley .net/mmyvideO 

clubatleticigualada .com/yOurclip 

connoro .com/bestshOw 

consignbuydesign .com/fuunnyttube 

dkflyt .dk/mmytw 

downingfarms .com/bestactiOn 

eminfinity.com .au/amalzlngclips 

eminfinity.com .au/uncensOredshOw 

endurancesportscar .com/extrlmemOvies 

epicent .dk/publicfilm 

evaracollin .be/mmyfilms 

exceleronmedical .com/amalzlngclips 

exceleronmedical .com/cOOlperfOrmans 

exceleronmedical .com/privalettube/?youtube.com 



finolog .com/privalemOvie 

fitslim .com/fantasticdemOnstratiOn 

gacogop .org/fuunnyclips 

gamlabodens .se/privaletw 

garagedoorsnow .com/meggademOnstratiOn 

garlicworld .com/mmymOvie 

garlic world .com/uncensOredperfOrmans 

gcillustration .com/extrlmevideO 

germanamericantax .com/publicmOvie 

happyholidaychristmastrees 

.com/uncensOredperfOrmans 

horaexata.com .br/cOOIclip 

huffmanfarms .com/fantasticfilms 

imagequest360 .com/fantasticmOvies 

inartdesigns .com/extrlmevideO 

interception .dk/mmyttube 

kalender.sttmedia .se/amalzlngdemOnstratiOn 

kartingclubsourdsnamur .be/besttw 

kiding.users.digital-crocus .com/mmymOvies 

kloerfem .dk/amalzlngshOw 



kracl .com/freeeshOw 
kreativdizajn .com/amalzlngvlds 
ktvsongs .com/publicactiOn 
lonestargcs .com/mmydwd 

losangelesfurniture .com/fantasticdemOnstratiOn 

Ir-online .dk/cOOIfilms 

Ir-online .dk/yOurshOw 

marketmarkj .com/privalemOvies 

martinhorngren .com/privalettube 

meetingpacket .com/youtube.com 

microscoop .net/fantasticttube 

momentsbypat .com/publicmOvie 

mtn-ejendomme .dk/mmyactiOn 
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nadiottawa .org/publicclips 
naestved-sportscollege .dk/amalzlngactiOn 
nicalandnow .com/uncensOredvlds 
odyssey-consultants .com/amalzIngvideO 
odyssey-consultants .com/mmymOvie 


onlyfun .se/extrlmeclip 
pridesoccer .com/privaleclips 
quicksilver-direct .com/amalzlngfilm 
reddoorchina .com/mmyvlds 
relivery .com/extrlmeshOw 
ristorocasanova .it/youtube.com 
sanfranciscocookie .com/fantasticfilms 
sarkos .ch/fuunnyperfOrmans 
saudiclubs .org/fantasticvlds 
sauipeswimwear .com/cOOImOvie 
schoolofhiphop .no/freeefilms 
senegalinfoservices .com/bestactiOn 
squashigualada .com/extrlmevlds 
starcraftdream .com/fuunnyvlds 
stm.frihost .org/freeefilm 
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stringer .no/uncensOredactiOn 
sttmedia .se/fantastictw 
taia.com .br/uncensOreddwd 
thefurniturewarehouse .net/mmymOvies 



theidusshop .com/publictw 
thepinflow .com/meggashOw 
thorsen-meyer .dk/bestclips 
tivity .dk/amalzlngmOvie 
tivity .dk/fantasticfilms 
tizianamaniezzo .com/fantasticclips 
tohva .org/bestactiOn 
troop270 .nwsc.org/fuunnydwd 
txmurphys .com/cOOIfilm 
tybjerglillebakkervand .dk/privalemOvie 
vagnpfisk .dk/privalemOvie 
vivaipirovano .com/youtube.com 
xanchise .com/cOOIclip 
yurafting .com/amalzlngvlds 

[19]Sampled Koobface binary now phones back to 

bianca.trinityonline .biz/.sys/?action = ldgen &v=14 
and bianca.trinityonline .biz/.sys/?action = ldgen 
&a = 590837698 &v=14 &l = 1000 &c _fb=0 &c _ms=0 
&c hi=0 &c tw=0 



&c be=0 &c tg=0 &c nl=0. 69.163.147.203 - Email: 
email@darrenjames.net, with the latest Koobfae update 
modules detected as follows - 61.235.117.83 
/bin/[20]v2prx.exe; 61.235.117.83 /bin/[21]pp.12.exe 

The "Koobface botnet and the 40 cybercriminals" (2008 ali 
baba and 40 , LLC) have not just started monetizing the 
infected hosts, they're using multiple layers of monetization 
to do so. 

Related posts: 

[22] Movement on the Koobface Front - Part Two 

[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

[26] Dissecting the Koobface Worm's December Campaign 

[27] Dissecting the Latest Koobface Facebook Campaign 

[28] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [29]Dancho Danchev's 
blog. 
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Koobface Botnet's Scareware Business Model (2009- 
09-16 20:45) 

UPDATE1: TrendMicro just confirmed the ongoing [ljdouble- 
layer monetization of Koobface. Meanwhile, the gang is 
rotating the scareware domains with new ones pushed by 
popup.php, followd by two recently updated Koobface 

components. 

The [2]new scareware domains kjremover .info; Irxsoft 
.info - 212.117.160.21 - Email: niclas@i.ua actually 

[3]download it from the well known q2bf0fzvjb5ca .cn 
portfolio, which phones back to the same domains listed 







previously, with only a slight change in the filename - 

urodinam .net/8732489273.php. The generic detection 
rate for the updated components (61.235.117.83 
/bin/[4]get.exe; 61.235.117.83 

/bin/[5]v2webserver.exe) with get.exe phoning back to a 
domain parked at the takedown-proof, China-based 

61.235.117.83, in particular gdehochesh 

.co m/a dm/index, php. 

Just like Conficker, the [6]Koobface botnet is no stranger to 
the [7]scareware business model and the poten¬ 
tial for monetization of the hundreds of thousands of infected 
hosts. 

However, changes made in the campaign structure of the 
Koobface botnet during the last couple of days, indi¬ 
cate that the Koobface gang has embedded a pop-up at each 
and every host that's automatically rotation different 
scareware brands. They're now officially monetizing the 
botnet using a scareware business model. 

Let's analyze the latest changes introduced by the Koobface 
gang over the last couple of days and emphasize 
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|w»p—« » itliat* Mport for Ntp ^ 4Q l»4 1 ^,»DxXa/> 


// KROTEG 
v«c pjirxklxlS • [ 

['ftcebook.coas', 'fb2'), 

l * merged.com 1 , ' cg/view'), 

[' frieadater .cote' , 'fr'l , 

[ 1 »yapace.con', 'bbs ], 

I 'aaplinlu.eott 1 , 'wl, 

('ink.**', '«*•), 

('Myycokrbook.eocB', • yb* ] , 

(•fub«r.coo>*, *fu*J, 

('(mUK.MB 1 , •**■], 

I'hlS.eca', *hl5'|, 

(‘b«bo. com' , ‘b* - J 

); 

v«c vnfcxttfuvsyltpjqO • ( 

*90.40.164.1*9', 

•6*.106.*1.146', 

•64.*4.214.75*, 

‘96.22).195.US*, 

*79.162.24.12*', 

*9*.26.1)*.220', 

*75.74.201.2)2', 

*77.127.116.15', 

‘4.154.55.209’, 

'94.19*.17).16*', 

*87.*6.50.2)8*, 

*21).6.97.76*, 

'72.128.68.118', 

•68.90.178.26*, 

* 201.223.24.185* ]; 

vac soacbvcux6 - ", folgacrpi6 - •*, cyvqpatS • ", ycwjf s«a;)ckihwxpovbu2 - "j 

vac coat jf dxecqr uni ycp»6 - " ♦ aval(‘doc'«*oacbvcux6*'u»e'♦tol<raccpi6*'nc.C ♦cyvqp»5« a efec'*ycia<rfseajzkih«ncpovtou2** car*), uojdpickabalO - "i 
foe (vac vscepocltvcxnfjS • 0: vazapocltvcxaf jS < pjicxkbdS. length.' vszepocltvcxnf j5 ♦♦> ( 
if (<coacjfdxacqtur»iyg»«. index Of (p)icx)dxlS( vazapoclcvcxnf J5] CO)) !• -1)) ( 
uojdpitfcstoalO • '/!■' ♦ pjicxktod5[w9cepocltvcxaf j5] [11 .* 
break; 

on the monetization tactics introduced by the gang. 

[8]Next to [9]insulting, showing [10]gratitude, the 
[ll]Koobface gang also has a (black) sense of humor - within 
one of the directories at the takedown-proof command and 
control used by the gang in China ([12]61.235.117.83; at 

61.235.117.83/bin in particular) they've left the following 
message 11 2008 ali baba and 40, LLC". [13]Ali Baba and 
the Forty Thieves is a 1944 film based on the original [14]Ali 
Baba character. 

Compared to previous campaigns relying on centralized 
command and control and redirection points - making 

them easy to shut down - the ongoing Facebook campaigns 
are dynamically redirecting to IPs within the Koobface 

network, which combined with their use of compromised 
legitimate sites is supposed to make the take down of their 
campaigns a bit more time consuming. 
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That's, of course, not the case since undermining their 
monetization approaches undermines the monetary value of 
their campaigns, which is what they're after this time. The 
Koobface gang has now embedded a single line within each 
and every infected host used in the campaign, in order to not 
only attempt to infect new visitors with the Koobface 
malware itself, but to also trick them into installing the 
scareware which is rotated as usual. 

dangerWindAdr = 61.235.117.83/ popup.php loads on 
each and every Facebook spoof page part of the bot¬ 
net and is then redirecting the most popular scareware 
template, the My computer Online Scan. 
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The first scareware domain used in the last 48 ryacleaner 
.info/hitin.php?affid=02979 (212.117.160.211 parked 
there as also eljupdate .info Email: niclas@i.ua and 
dercleaner .info Email: niclas@i.ua) was serving setup.exe 
which is downloading the actual [15]scareware executable 
from mt3pvkfmpi7de .cn/get.php?id=02979 
(220.196.59.23). 








What's so special about this domain? It was last profiled in 
the [16]A Diverse Portfolio of Fake Security Software - 

Part Twenty Three with the entire portfolio of .cn domains 
parked at the same IP registered under the same email - 

robertsimonkroon@gmail.com. 

The second scareware domain pushed by the Koobface 
during the last 24 hours, gotrioscan .com/?uid=13301 

- 91.212.107.103 - momorule@gmail.com redirects to plazec 
.info/22/?uid=13301 - 91.212.107.103 - Email: 
bebrashe@gmail.com where the [17]scareware is served. 
Parked at the same IP is the rest of thescareware domains 
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portfolio pushed by Koobface: 

in5id .com 
in5ch .com 
goscanback .com 
goscanlook .com 
gofatescan .com 
goeachscan .com 
gobackscan .com 
goironscan .com 
gotrioscan .com 
ia-pro .com 



iantivirus-pro .com 
iantiviruspro .com 
windoptimizer .com 
woptimizer .com 
in5cs .com 
wopayment .com 
in5st .com 
zussia .info 
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beeves .info 
quoifs .info 
filths .info 


broths .info 



nevils .info 
swoons .info 
sallat .info 
apalet .info 
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reglet .info 
camlet .info 
plamet .info 
hownet .info 
fosset .info 
cuplift .info 
raught .info 
holdit .info 
unroot .info 
unwept .info 
anmast .info 
ticedu .info 
outliv .info 
onclew .info 


froday .info 
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mayray .info 



























































tenshy .info 
steepy .info 
miloty .info 
debuty .info 
fifthz .info 
potinz .info 
caretz .info 
narowz .info 

What do these two scareware executables have in common? 
Its the phone back locations that the Koobface gang is 

using, reveling its participation in a scareware affiliate 
network called Crusade Affiliates. 
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The first phone back location urodinam.net /dfgsdfsdf 
.php - 122.224.9.67 adds a .bat file which would attempt to 
obtain mshta.exe from urodinam.net/33t .php? 
stime=1253063118 on hourly basis. The second phone 
back location is the Crusade Affiliates network that shares 
revenue with the Koobface gang whenever a scareware 
pushed by the gang is purchased - crusade-affiliates 
.com/install.php?id=02979 - 85.17.139.149. 

The third phone back location is a direct download attempt of 
[18]FraudTool.Win32.SecretService; RogueAn- 

tiSpyware.PrivacyCenter.AJ from 0ni9ols3feu60 
.cn/u4.exe - 220.196.59.23. It's pretty evident that the 





Koobface botnet is now relying on multiple layers of 
monetization approaches. 

The Koobface gang has been pretty during the last couple of 
days. 

The following list of Koobface malware 

spreading domains are in circulation across social networking 
sites since the last 48 hours, consisting of a combination of 
purely malicious and compromised legitimate sites: 

3sss .com/youtube.com 

4bond .it/youtube.com 

ac2j .com/freeemOvies 

acedl979 .freehostia.com/yOurfilm 

alexandrialocksmith .net/uncensOredvideO 

alpha.kei .pl/amalzlngfilms 

alruwaithy .com/extrlmeperfOrmans 

astoundeddesign .com/privaledemOnstratiOn 

awwfuck .me/fuunnyactiOn 
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baddog.me .uk/uncensOredclip 
bbckzoo .com/extrlmedwd 
bbckzoo . co m/m my perf Ormans 
be. la/freeefilms 
bencaputoprinting .com/cOOIfilm 
bicentenario.sc49 .info/mmyfilm 
bighornrivercabins .com/cOOIvlds 
biskopsto .fo/fantasticmOvie 
































bloch-data .dk/cOOIvlds 
bokongerslev .dk/amalzlngmOvie 
bokongerslev .dk/extrlmeactiOn 
book-dalmose .dk/extrlmeperfOrmans 
campionariadigalatina .it/youtube.com 
carlamo .com/extrlmeclip 
centerforyourhealth .com/extrlmemOvies 
centralbaptist.org .au/fantasticvideO 
certtiletechs .com/fuunnymOvies 
cisaimpianti .net/youtube.com 
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claykelley .net/extrlmevlds 
claykelley .net/mmyvideO 
clubatleticigualada .com/yOurclip 
connoro .com/bestshOw 
consignbuydesign .com/fuunnyttube 
dkflyt .dk/mmytw 
downingfarms .com/bestactiOn 
eminfinity.com .au/amalzlngclips 
eminfinity.com .au/uncensOredshOw 



endurancesportscar .com/extrlmemOvies 

epicent .dk/publicfilm 

evaracollin .be/mmyfilms 

exceleronmedical .com/amalzlngclips 

exceleronmedical .com/cOOlperfOrmans 

exceleronmedical .com/privalettube/?youtube.com 

finolog .com/privalemOvie 

fitslim .com/fantasticdemOnstratiOn 

gacogop .org/fuunnyclips 

gamlabodens .se/privaletw 

garagedoorsnow .com/meggademonstration 

garlicworld .com/mmymOvie 

garlic world .com/uncensOredperfOrmans 

gcillustration .com/extrlmevideO 

germanamericantax .com/publicmOvie 

happyholidaychristmastrees 

.com/uncensOredperfOrmans 

horaexata.com .br/cOOIclip 

huffmanfarms .com/fantasticfilms 

imagequest360 .com/fantasticmOvies 



inartdesigns .com/extrlmevideO 
interception .dk/mmyttube 

kalender.sttmedia .se/amalzlngdemOnstratiOn 

kartingclubsourdsnamur .be/besttw 

kiding.users.digital-crocus .com/mmymOvies 

kioerfem .dk/amalzlngshOw 

kracl .com/freeeshOw 

kreativdizajn .com/amalzlngvlds 

ktvsongs .com/publicactiOn 

lonestargcs .com/mmydwd 

losangelesfurniture .com/fantasticdemOnstratiOn 
Ir-online .dk/cOOIfilms 
Ir-online .dk/yOurshOw 
marketmarkj .com/privalemOvies 
martinhorngren .com/privalettube 
meetingpacket .com/youtube.com 
microscoop .net/fantasticttube 
momentsbypat .com/publicmOvie 
mtn-ejendomme .dk/mmyactiOn 
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nadiottawa .org/publicclips 
naestved-sportscollege .dk/amalzlngactiOn 
nicalandnow .com/uncensOredvIds 
odyssey-consultants .com/amalzIngvideO 
odyssey-consultants .com/mmymOvie 
onlyfun .se/extrlmeclip 
pridesoccer .com/privaleclips 
quicksilver-direct .com/amalzlngfilm 


reddoorchina .com/mmyvlds 
relivery .com/extrlmeshOw 
ristorocasanova .it/youtube.com 
sanfranciscocookie .com/fantasticfilms 
sarkos .ch/fuunnyperfOrmans 
saudiclubs .org/fantasticvlds 
sauipeswimwear .com/cOOImOvie 
schoolofhiphop .no/freeefilms 
senegalinfoservices .com/bestactiOn 
squashigualada .com/extrlmevlds 
starcraftdream .com/fuunnyvlds 
stm.frihost .org/freeefilm 
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stringer .no/uncensOredactiOn 
sttmedia .se/fantastictw 
taia.com .br/uncensOreddwd 
thefurniturewarehouse .net/mmymOvies 
theidusshop .com/publictw 
thepinflow .com/meggashOw 
thorsen-meyer .dk/bestclips 



tivity .dk/amalzlngmOvie 
tivity .dk/fantasticfilms 
tizianamaniezzo .com/fantasticclips 
tohva .org/bestactiOn 
troop270 .nwsc.org/fuunnydwd 
txmurphys .com/cOOIfilm 
tybjerglillebakkervand .dk/privalemOvie 
vagnpfisk .dk/privalemOvie 
vivaipirovano .com/youtube.com 
xanchise .com/cOOIclip 
yurafting .com/amalzlngvlds 

[19]Sampled Koobface binary now phones back to 

bianca.trinityonline .biz/.sys/?action=ldgen &v=14 
and bianca.trinityonline .biz/.sys/?action=ldgen 
&a = 590837698 &v=14 &l = 1000 &c _fb=0 &c _ms=0 
&c hi=0 &c tw=0 

&c be=0 &c tg=0 &c nl=0. 69.163.147.203 - Email: 
email@darrenjames.net, with the latest Koobfae update 
modules detected as follows - 61.235.117.83 
/bin/[20]v2prx.exe; 61.235.117.83 /bin/[21]pp.12.exe 

The "Koobface botnet and the 40 cybercriminals" (2008 ali 
baba and 40 , LLC) have not just started monetizing the 
infected hosts, they're using multiple layers of monetization 
to do so. 



Related posts: 

[22] Movement on the Koobface Front - Part Two 

[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

[26] Dissecting the Koobface Worm's December Campaign 

[27] Dissecting the Latest Koobface Facebook Campaign 

[28] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [29]Dancho Danchev's 
blog. 

1. http://blo a .trendmicro.com/pick-vour-poison-koobface-or- 
fakeav/ 

2 . 

http://www.virustotal.com/analisis/5daf7fbl9bea76e5b438b6 

9f72d75b8006ca0dfbfb68a0c43466b3elbfd0c220-12532 

90342 

3. http://ddanchev.blo as pot.eom/2009/07/diverse-portfolio- 
of-fake-securitv_27.html 

4. 

http://www.virustotal.com/analisis/7fla848c42f548715b3ae2 

8a7033c6d9b3dc64630f62ecb8b72b658dfcl8f86e-12532 


89574 
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http://www.vi rustotal.com/analisis/8b6b0105d5bd4b374elfb 

826ce69874c2c5fc3430507d439547c4a81e0e778db-12532 

89585 

6. http:// a arwarner.blo as pot.com/2009/09/koobface-wrecks- 
search-results.html 

7. http://ddanchev.blo as pot.com/2009/04/confickers- 
scarewarefake-securitv.html 

8. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

9. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with 09.html 
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AAAAD-Y/WO17amHSx6U/sl60Q-h/koobface-thanks-danchol 

.PNG 


12. http://whois.domaintools.com/61.235.117.83 
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http://en.wikipedia.or g /wiki/Ali Baba and the Forty Thieves 
%281944 film%29 


14. http://en.wikipedia.or a /wiki/Ali_Baba 
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http://www.vi rustotal.com/analisis/f9927cedb08e47c838772 
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34136 

16. http://ddanchev.blo as pot.com/2009/07/diverse-portfolio- 
of-fake-securitv_27.html 

17. 

http://www.virustotal.com/analisis/fc49elfb731ae959262b22 

37494e0cd39elc5399f4fd56ale40276053a0e693f-12531 

14398 

18. 

http://www.virustotal.com/analisis/9c23d2c48bc5912869f2cc 

eelcf8798cb8b9f466996c96538546c7466ae710ef-12530 

34570 
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http://www.virustotal.com/analisis/15a4092dlaf66a5al2655 
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25400 
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12530 

35704 
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22. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 

23. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front.html 


24. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 

25. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 


26. http://ddanchev.blo as pot.com/20Q8/12/dissectin a- 
koobface-worms-december.html 


27. http://ddanchev.blo as pot.com/20Q8/ll/dissectin a -latest- 
koobface-facebook.html 


28. http://ddanchev.blo as pot.com/20Q8/12/koobface- a an a- 
mixin a -social-en a ineerin a .html 
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The Ultimate Guide to Scareware Protection (2009- 
09-18 19:03) 

Throughout the last two years, [l]scareware (fake security 
software), quickly emerged as the single most profitable 
monetization strategy for cybercriminals to take advantage 
of. Due to the aggressive advertising practices applied by the 
cybercrime gangs, thousands of users fall victim to the scam 
































on a daily basis, with the gangs themselves earning 
hundreds of thousands of dollars in the process. 

This [2]end user-friendly guide aims to educate the 
Internet user on what scareware is, the risks posed by 
installing it, how it looks like, its delivery channels, and most 
importantly, how to recognize, avoid and report it to the 
security community taking into consideration the fact that 
99 % of the current releases rely on social engineering 
tactics. 

This post has been reproduced from [3]Dancho Danchev's 
blog. 

1. http://en.wikipedia.or g /wiki/Scareware 

2. http://blo a s.zdnet.com/securit v/7 p=4297 

3. http://ddanchev.blo as pot.com/ 
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Dissecting September's Twitter Scareware Campaign 
(2009-09-25 12:03) 

UPDATE: 4 hours after notification, Twitter has suspended 
the remaining bogus accounts. [ 1 ]UntiI the next time, when 
the reCAPTCHA recognition gets [2]cost-effectively 
outsourced for automatic [3]scareware-serving purposes. 

Over the last couple of days, my Ukrainian "fan club" - fan 
club in a sarcastic sense due to [4]the love, more 

[5]love, even [6]more love and [7]gratitude shown so far - 
has once against started abusing Twitter by automatically 
generating bogus accounts [8]tweeting scareware serving 
links by syndicating Twitter's trending topics. 






This traffic acquisition tactic is in fact nothing new, and in 
the case of this Ukrainian cybercrime enterprise, is done "in 
between" the rest of their malicious activities. What's worth 
pointing out is that just like the most recent 

[9]malvertising campaign at NYTimes.com, the Ukrainian 
gang keeps using domains already in circulation within 

their blackhat SEO campaigns, making it fairly easy to 
establish connections between these and the ongoing Twitter 
campaign. 
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Hey there! zastrow994 is using 
Twitter. 

Twitter is a free service that lets you keep in touch with people through 
the exchange of quick frequent answers to one simple question What 
are you dong? Join today to start receiving zattrow994‘a tweets 


Join today! 


_ NamtUK/i Jonwg 

0 zastrow994 'TT 


Gle Not bad, really. See 

http://is.gd/3BZqa 


att Dtackom 


*'■ creaave Brand Eyes 


Yaaay* 0 watering >OsmciO- movwntre 

00 ST Giee Of) gee muKmonoay 


.VAflrmG" Twdier worm and pftrstung «jn" 
©rand new eyes gee pn*ps HiNllltl 


? twigs «i Me 1 cant ive*«nout Fuzzoai and mini ) 


RT Qrr - Even leoenese delegates waxed out on an 
rap , 7 a g3»;o7e vanttecaon Greenwv 


Jay-Z 1 just got a tree pnone today »or fusisucmang my emaa Oo 
you want one">i 111 imp vs gi'MJZqa 



By the time Twitter suspends the automatically registered 
bogus accounts, on average, 70 to 80 tweets have been 
published per single account. Here's the most recent list of 
currently active Twitter accounts tweeting scareware links: 

twitter.com /verinal238 

twitter.com /knabl90 

twitter.com /zastrow994 

twitter.com /gustavel2 

twitter.com /trautwein9975 

twitter.com /reinke341 

twitter.com /ordella509 

twitter.com /Iysa380 

twitter.com /weinhold344 

twitter.com /wachsmannl541 

twitter.com /weishaupt917 

twitter.com /scheidl265 

twitter.com /fitzl677 

twitter.com /falkner425 

twitter.com /ope!1409 
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twitter.com /raschel401 
twitter.com /schlechtl581 
twitter.com /verinal238 
twitter.com /perahta985 

The accounts are relying on identical short URLs, with the 
following ones still active and in circulation: 

tinyurl.com /Iyby2r 

tinyurl.com /nx39k8 




tinyurl.com /Iyby2r 
tinyurl.com /mnbfox 
tinyurl.com /msjjv8 
tinyurl.com /mj5wju 
tinyurl.com /mxg2vo 
tinyurl.com /m656h7 
tinyurl.com /nffkly 
xrl.us /bfnpv7 
xrl.us /bfnsa8 
xrl.us /bfny8e 
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HTTP 

xrl.us 

/bfny8e 

226 

text/html 

HTTP 

imagination-l.com 

/?uid= 138&pid=3&ttl=b 1 d4e571 b 16 

525 

text/html 

HTTP 

my-systemscan. com 

/?p=WKmimHVla3GHjsbIo22EhHV8ipnVbWeMn... 

1,780 

text/html 

HTTP 

my-systemscan. com 

/Images/loading, gif 

0 


HTTP 

my-systemscan. com 

/Scripts/Strategies/7a06b79cdb03a4ed 1394b... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l.,. 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l.,. 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

0 


HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile&counter=0&p=... 

0 

application/... 

HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile&counter=1 &p=... 

0 

application/... 

HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile&counter=2&p=... 

0 

application/... 

HTTP 

a.gd 

/f6b7f5 

5 

text/html 

HTTP 

imagination-l.com 

/?uid=138&pid=3&ttl=b 1 d4e571 b 16 

527 

text/html 

HTTP 

my-systemscan. com 

/?p=WKmimHVla3GHjsbIo22EhHV8ipnVbWaMn.,. 

1,780 

text/html 

HTTP 

my-systemscan. com 

/Images/loading, gif 

0 


HTTP 

my-systemscan. com 

/Scripts/Strategies/6ad65f 29d4977407cc968c... 

17,203 

text/javasc... 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

32,352 

image/gif 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

22,127 

image/gif 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

79 

image/gif 








xrl.us /bfnnu4 


xrl.us /bfnzkk 
a.gd/ 6af3fe 
a.gd/ 649be 
a.gd/ f6b7f5 
a.gd/ 0abe74 
is.gd/ 3AoRZ 
is.gd/ 3A5DD 
is.gd/ 3AUVc 
is.gd/ 3BZqa 
is.gd/ 3C4IU 

The short URLs rely on several redirectors to finally land the 
end user on a scareware site, such as securityland .cn and 
imagination-1 .com: 

securityland .cn - 64.86.25.201 - Email: 
keithdgetz@gmail.com. Parked on the same IP are also: 

abclllab .com 

Olenfo .com 

ynoubfa .cn 

protectinstructor .cn 


immitations-all .net 



llimbo .net 


imagination-1 .com- 64.86.25.202 - Email: 
gertrudeedickens@text2re.com. Parked on the same IP are 
also: 

bombaslO .com 

589 

graveslll .com 
iriskas .com 
yvicawo ,cn 

Where do we know the gertrudeedickens@text2re.com 

email from? Several of the scareware domains pushed 

in the [10]ongoing U.S Federal Forms Themed Blackhat SEO 
Campaign have been registered using it, that very 

same blackhat SEO whose central redirector a-n-d-the 
.com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 

72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics 
the campaign structure of 2008's [ll]massive input 
validation abuse attack using iFrames, courtesy of the RBN 
and the very first scareware campaigns. 

Moreover, the same email has been used to register two of 
the "phone-back" domains for the scareware 

pushed in the blackhat SEO campaign and the 
[12]NYTimes.com malvertising attack - 

windowsprotection-suite .net 



- Email: gertrudeedickens@text2re.com and 

securemysystem .net - Email: 
gertrudeedickens@text2re.com. 
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The following scareware domains are not just used within the 
Twitter campaign, some of them have also been 






detected as part of blackhat SEO campaigns: 

ekevuc .cn - 64.213.140.68 

windowspcdefender .com 

smart-virus-eliminator .com 

fast-systemguard .net 

opyhila .cn 

riwryse .cn 

adijef .cn 

dunhah .cn 

idisuan .cn 

wobcyn .cn 

upuoro .cn 

ucyilwo .cn 
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ogywuep .cn 
adaengu .cn 
taziqow .cn 
zerkauz .cn 

ejavone .cn - 64.213.140.69 

fastsystem-guard .com 



windowsguardsuite .com 

windowssystemsuite .com 

winsecuritysuite-pro .com 

windows-protectionsuite .net 

malwarecatcher .net 

fast-scan-protect .net 

fastscansecure .net 

goryhe .cn 

pyzuhme .cn 

zydfaqe .cn 

ahoize .cn 

abonyag .cn 

abenapi .cn 

otobym .cn 

abicoym .cn 

nepsoym .cn 

byzfalo .cn 

pywudar .cn 

qucgyit .cn 


dahokxu .cn 



lylbaov .cn 
cusryw .cn 
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fast-scanandprotect .net 


fastscanonline .com 





fastsearch-secure .com 


fast-systemguard .net 
go-scanandsecure .net 
goscan-protect .com 
go-searchandscan .com 
guardmyzone .net 
mynewprotection .net 
my-newprotection .net 
my-officeguard .com 
my-officeguard .net 
myprotectedsystem .com 
myprotected-system .com 
my-protectedzone .net 
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myprotectionshield .com 
myprotectionzone .com 
my-protectionzone .com 
my-protectionzone .net 
myprotection-zone .net 
my-saerchsecure .com 



my-safetyprotection .com 
my-systemprotection .net 
mysystemsafety .com 
my-systemscan .com 
my-systemscanner .com 
mysystemsecurity .com 
new-scanandprotect .com 
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newscan-andprotect .net 
new-systemprotection .com 
online-scanandsecure .net 
online-securescanner .net 
online-systemscan .com 






onlinesystemscan .net 
protectand-secure .com 
protectionsearch .com 
safetyshield .net 
safetysystem-guard .com 
scanonline-protect .com 
scan-system .net 
scanvirus-online .net 
searchandscan .net 
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search-scanonline .net 
searchsecureguard .net 
secure-systemguard .net 
system-guard .net 
systemguard-zone .com 
systemguard-zone .net 
systemprotected .net 
systemscan-secure .net 
trust-systemprotect .com 
trust-systemprotect .net 



trustsystem-protection .com 

trust-systemprotection .net 

windows-protectionsuite .net 

windows-systemguard .net 

windows-virusscan .net 

winprotection-suite .com 

[13]Sampled scareware also [14]phones-back to 
mysecurityguru .cn - 64.86.16.170 - Email: 


an- 

drew.fbecket@gmail.com, the same phone-back domain was 
used in the scareware sampled from the [15JNY- 

Times.com malvertising attack, with the same email also 
belonging to a scareware domain (mainsecsys .info) listed 
in the [16]Diverse Portfolio of Fake Security Software - Part 
Twenty Two for July. 

The cybercrime powerhouse behind all these attacks, 
continues maintaining the largest market share of 
[17]systematic Web 2.0 abuse, and that includes their 
involvement in [18]the Koobface botnet. 

Related posts: 

[19] Dissecting Koobface Worm's Twitter Campaign 

[20] Twitter Worm Mikeyy Keywords Hijacked to Serve 
Scareware 



[21] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[22] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[23] The Twitter Malware Campaign Wants to Bank With You 

[24] Does Twitter's malware link filter really work? 

[25] Commercial Twitter spamming tool hits the market 

[26] Cybercriminals hijack Twitter trending topics to serve 
malware 

[27] Spammers harvesting emails from Twitter - in real time 

[28] Twitter hit by multiple variants of XSS worm[29] 

This post has been reproduced from [30]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p=3178 

2. http://blo a s.zdnet.com/securit v/? p = 1835 

3. http://blo a s.zdnet.com/securit v/? p=4297 

4. 

http://2.bp.blo as pot.com/_wlCFihTiOmrA/Si a kzSv- 
sLI/AAAAAAAADrw/pPcRifZSU6U/sl600- 
h/blackhat seo ddanchev I 

ove. l PG 


5 . 




















htto://l.bp.blo as pot.com/ wICHhTiOmrA/SiOhcLUtEII/AAAAA 
AAADu a/ vHBpEfNePuQ/sl600-h/blackhat seo ddanchev m 

ore love 3. I PG 

6 . 

http://3.bp.blo as pot.com/ wlCHhTiOmrA/Si a ncRzz67l/AAAAA 
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* Hey there! knab190 is using 
Twitter. 


ng? Join today to start recemng knab190‘t tweets 


Join today! 




knab190 


Gotcha!, glee! 

http: // ti nyurl. com/msjjv8 


toe—OW LAI 

0 S 
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Dissecting September's Twitter Scareware Campaign 
(2009-09-25 12:03) 






















UPDATE: 4 hours after notification, Twitter has suspended 
the remaining bogus accounts. [ 1 ]UntiI the next time, when 
the reCAPTCHA recognition gets [2]cost-effectively 
outsourced for automatic [3]scareware-serving purposes. 

Over the last couple of days, my Ukrainian "fan club" - fan 
club in a sarcastic sense due to [4]the love, more 

[5]love, even [6]more love and [7]gratitude shown so far - 
has once against started abusing Twitter by automatically 
generating bogus accounts [8]tweeting scareware serving 
links by syndicating Twitter's trending topics. 

This traffic acquisition tactic is in fact nothing new, and in 
the case of this Ukrainian cybercrime enterprise, is done "in 
between" the rest of their malicious activities. What's worth 
pointing out is that just like the most recent 

[9]malvertising campaign at NYTimes.com, the Ukrainian 
gang keeps using domains already in circulation within 

their blackhat SEO campaigns, making it fairly easy to 
establish connections between these and the ongoing Twitter 
campaign. 
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Hey there! zastrow994 is using 
Twitter. 

Twine* is a free service that lets you keep m touch with people through 
the exchange of quick frequent answers to one simple question What 
are you doing? Join today to start receiving za»trow994'a tweets 


Join today! 



zastrow994 


Gle Not bad. really. See 

http://is.gd/3BZqa 


uumoOkmi 
0 9 


FoAowng 


ATT DtKkOUl 


c reaave Brand ne* Eyes 


vaaay 1 Owaknng >Osanct9< movie nere 
OOST G*ee OR g»ee rrwsxmcnaay 


WARMMGIf Tantler worm and ptusftng scam" nni 
erano new eyes giee pnnps minim 1 ! 


?nngsin we uanf kve««hout Fuanai and mini ) 


RT Q r> Even leoenese oeiegaies waited out on am 
ratp a go»:o7tj. **■**< ooo Greenwv 


Jay-Z i fust got a tree pnone today lor lustsuemowig my ernaa Oo 
you want one">i 111 imp •'•'s g046Zqa 


By the time Twitter suspends the automatically registered 
bogus accounts, on average, 70 to 80 tweets have been 
published per single account. Here's the most recent list of 
currently active Twitter accounts tweeting scareware links: 

twitter.com /verinal238 

twitter.com /knabl90 

twitter.com /zastrow994 

twitter.com /gustavel2 

twitter.com /trautwein9975 



twitter.com /reinke341 
twitter.com /ordella509 
twitter.com /Iysa380 
twitter.com /weinhold344 
twitter.com /wachsmannl541 
twitter.com /weishaupt917 
twitter.com /scheidl265 
twitter.com /fitzl677 
twitter.com /falkner425 
twitter.com /ope!1409 
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twitter.com /raschel401 
twitter.com /schlechtl581 
twitter.com /verinal238 
twitter.com /perahta985 

The accounts are relying on identical short URLs, with the 
following ones still active and in circulation: 

tinyurl.com /Iyby2r 

tinyurl.com /nx39k8 




tinyurl.com /Iyby2r 
tinyurl.com /mnbfox 
tinyurl.com /msjjv8 
tinyurl.com /mj5wju 
tinyurl.com /mxg2vo 
tinyurl.com /m656h7 
tinyurl.com /nffkly 
xrl.us /bfnpv7 
xrl.us /bfnsa8 
xrl.us /bfny8e 
xrl.us /bfnnu4 
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HTTP 

xrl.us 

/bfny8e 

226 

text/html [ 

HTTP 

imagination-l.com 

/?uid= 138&pid=3&ttl=b 1 d4e571 b 16 

525 

text/html 

HTTP 

my-systemscan. com 

/?p=WKmimHVla3GHjsbIo22EhHV8ipnVbWeMn... 

1,780 

text/html 

HTTP 

my-systemscan. com 

/Images/loading, gif 

0 


HTTP 

my-systemscan. com 

/Scripts/Strategies/7a06b79cdb03a4ed 1394b... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l.,. 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/7/images/l.,. 

0 


HTTP 

my-systemscan, com 

/Layouts/Landings/CentralLandings/7/images/l... 

0 


HTTP 

my-systemscan, com 

/Layouts/Landings/CentralLandings/7/images/l... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

0 


HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile&counter=0&p=... 

0 

application/... 

HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile8tcounter= 1 &p=... 

0 

application/... 

HTTP 

my-systemscan. com 

/build7_l 38. php?cmd=getFile&counter=2&p=... 

0 

application/... 

HTTP 

a.gd 

/f6b7f5 

5 

text/html I 

HTTP 

imagination-l.com 

/?uid=138&pid=3&ttl=b 1 d4e571 b 16 

527 

text/html 

HTTP 

my-systemscan. com 

/?p=WKmimHVla3GHjsbIo22EhHV8ipnVbWaMn... 

1,780 

text/html 

HTTP 

my-systemscan. com 

/Images/loading, gif 

0 


HTTP 

my-systemscan. com 

/Scripts/Strategies/6ad65f 29d4977407cc968c... 

17,203 

text/javasc... 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

32,352 

image/gif 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

0 


HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l... 

22,127 

image/gif 

HTTP 

my-systemscan. com 

/Layouts/Landings/CentralLandings/6/images/l.,. 

79 

image/gif 


xrl.us /bfnzkk 
a.gd/ 6af3fe 
a.gd/ 649be 
a.gd/ f6b7f5 
a.gd/ 0abe74 
is.gd/ 3AoRZ 
is.gd/ 3A5DD 
is.gd/ 3AUVc 
is.gd/ 3BZqa 
is.gd/ 3C4IU 








The short URLs rely on several redirectors to finally land the 
end user on a scareware site, such as securityland .cn and 
imagination-1 .com: 

securityland .cn - 64.86.25.201 - Email: 
keithdgetz@gmail.com. Parked on the same IP are also: 

abclllab .com 

Olenfo .com 

ynoubfa .cn 

protectinstructor .cn 

immitations-all .net 

llimbo .net 

imagination-1 .com- 64.86.25.202 - Email: 
gertrudeedickens@text2re.com. Parked on the same IP are 
also: 

bombaslO .com 
graveslll .com 
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iriskas .com 
yvicawo .cn 

Where do we know the gertrudeedickens@text2re.com 

email from? Several of the scareware domains pushed 

in the [10]ongoing U.S Federal Forms Themed Blackhat SEO 
Campaign have been registered using it, that very 



same blackhat SEO whose central redirector a-n-d-the 
.com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 

72.21.41.198 - (hosted by Layered Technologies, Inc.) mimics 
the campaign structure of 2008's [ll]massive input 
validation abuse attack using iFrames, courtesy of the RBN 
and the very first scareware campaigns. 

Moreover, the same email has been used to register two of 
the "phone-back" domains for the scareware 

pushed in the blackhat SEO campaign and the 
[12]NYTimes.com malvertising attack - 

windowsprotection-suite .net 

- Email: gertrudeedickens@text2re.com and 

securemysystem .net - Email: 
gertrudeedickens@text2re.com. 
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The following scareware domains are not just used within the 
Twitter campaign, some of them have also been 


detected as part of blackhat SEO campaigns: 
ekevuc .cn - 64.213.140.68 

windowspcdefender .com 





smart-virus-eliminator .com 


fast-systemguard .net 

opyhila .cn 

riwryse .cn 

adijef .cn 

dunhah .cn 

idisuan .cn 

wobcyn .cn 

upuoro .cn 

ucyilwo .cn 
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ogywuep .cn 
adaengu .cn 
taziqow .cn 
zerkauz .cn 

ejavone .cn - 64.213.140.69 

fastsystem-guard .com 
windowsguardsuite .com 
windowssystemsuite .com 
winsecuritysuite-pro .com 



windows-protectionsuite .net 

malwarecatcher .net 

fast-scan-protect .net 

fastscansecure .net 

goryhe .cn 

pyzuhme .cn 

zydfaqe .cn 

ahoize .cn 

abonyag .cn 

abenapi .cn 

otobym .cn 

abicoym .cn 

nepsoym .cn 

byzfalo .cn 

pywudar .cn 

qucgyit .cn 

dahokxu .cn 

lylbaov .cn 

cusryw .cn 
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fast-scanandprotect .net 
fastscanonline .com 
fastsearch-secure .com 
fast-systemguard .net 
go-scanandsecure .net 








goscan-protect .com 
go-searchandscan .com 
guardmyzone .net 
mynewprotection .net 
my-newprotection .net 
my-officeguard .com 
my-officeguard .net 
myprotectedsystem .com 
myprotected-system .com 
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my-protectedzone .net 
myprotectionshield .com 
myprotectionzone .com 
my-protectionzone .com 
my-protectionzone .net 
myprotection-zone .net 
my-saerchsecure .com 
my-safetyprotection .com 
my-systemprotection .net 
mysystemsafety .com 



my-systemscan .com 
my-systemscanner .com 
mysystemsecurity .com 
new-scanandprotect .com 
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newscan-andprotect .net 
new-systemprotection .com 
online-scanandsecure .net 
online-securescanner .net 
online-systemscan .com 
onlinesystemscan .net 
protectand-secure .com 
protectionsearch .com 
safetyshield .net 
safetysystem-guard .com 
scanonline-protect .com 
scan-system .net 
scanvirus-online .net 
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searchandscan .net 
search-scanonline .net 
searchsecureguard .net 
secure-systemguard .net 
system-guard .net 
systemguard-zone .com 



systemguard-zone .net 

systemprotected .net 

systemscan-secure .net 

trust-systemprotect .com 

trust-systemprotect .net 

trustsystem-protection .com 

trust-systemprotection .net 

windows-protectionsuite .net 

windows-systemguard .net 

windows-virusscan .net 

winprotection-suite .com 

[13]Sampled scareware also [14]phones-back to 
mysecurityguru .cn - 64.86.16.170 - Email: 


an- 

drew.fbecket@gmail.com, the same phone-back domain was 
used in the scareware sampled from the [15JNY- 

Times.com malvertising attack, with the same email also 
belonging to a scareware domain (mainsecsys .info) listed 
in the [16]Diverse Portfolio of Fake Security Software - Part 
Twenty Two for July. 


The cybercrime powerhouse behind all these attacks, 
continues maintaining the largest market share of 



[17]systematic Web 2.0 abuse, and that includes their 
involvement in [18]the Koobface botnet. 

Related posts: 

[19] Dissecting Koobface Worm's Twitter Campaign 

[20] Twitter Worm Mikeyy Keywords Hijacked to Serve 
Sea reware 

[21] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[22] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[23] The Twitter Malware Campaign Wants to Bank With You 

[24] Does Twitter's malware link filter really work? 

[25] Commercial Twitter spamming tool hits the market 

[26] Cybercriminals hijack Twitter trending topics to serve 
malware 

[27] Spammers harvesting emails from Twitter - in real time 

[28] Twitter hit by multiple variants of XSS worm[29] 

This post has been reproduced from [30]Dancho Danchev's 
blog. 
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Hijacking Windows System Restore for cybercrime 
profits 

Cifccr cnm* pang* n Chm ar« penetrating the hard rfcsfc recovery cards on 
computers m [rtemet cafes and usng a ccmbnabon of zero-day lia«rs, 
rootlots and MP spoofng tednoM to . Continued » 

September 30th. 2009 

New botnet hides commands as JPEG 
images 


' ^ 30 Talk Backs 


i f 


Secvrtv researchers have stumt4ed on a new botnet that uses an 
vitereffing techntgue to mask its nefanous mtenbons. 

The MonfcdiDlxhora botnec, ntwh it pusfvng out Tro>an downtoadsrs to 
rtacted machetes, it encodwg the rwtruebons to appear as 4 the 
| command• and-controf server ft ratunvng a JPCG mage N*. accordng to 
taeeMrorls researcher Xason Hdetary. Read the rest of thrt entry • 
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RIM plugs BlackBerry phishing hole 
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♦ Malware Remover 
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Recent Entries 
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Summarizing Zero Day's Posts for September (2009- 
10-01 15:38) 

The following is a brief summary of all of my posts at ZDNet's 
[l]Zero Day for September. 

You can also go through previous summaries for [2]August, 
[3]July, [4]June, [5]May, [6]ApriI, [7]March, [8]February, 

[9]January, [10]December f [ll]November f [12]October f 
[13]September, [14]August and [15]July, as well as subscribe 
to my [16]personal RSS feed or [17]Zero Day's main feed. 

Notable articles include: [18]The ultimate guide to scareware 
protection + [19]Gallery; [20]'Anonymous' group 







attempts DDoS attack against Australian government 
(Operation Didgeridie) and [21]Modern banker malware 

undermines two-factor authentication. 

01. [22]Scareware goes Green 

02. [23]'Anonymous' group attempts DDoS attack against 
Australian government 

03. [24]Cutwail botnet spamming 'IRS unreported income' 
themed malware 

04. [25]Citizens Financial sued for insufficient E-Banking 
security 

05. [26]iPhone's anti-phishing protection offers inconsistent 
results 

06. [27]9/l 1 related keywords hijacked to serve scareware 

07. [28]The ultimate guide to scareware protection + 
[29]Gallery 

08. [30]Phishers introduce 'Chat-in-the-Middle' fraud tactic 
09. [31]Scareware scammers hijack Twitter trending topics 
611 

10. [32]Modern banker malware undermines two-factor 
authentication 

11. [33]Chinese hackers launch targeted attacks against 
foreign correspondents 

12. [34]Research: Small DIY botnets prevalent in enterprise 
networks 
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Standardizing the Money Mule Recruitment Process 
(2009-10-06 09:23) 

























[l]Ah, deja vu! How is it possible that the [2]Scope Group 
money mule recruitment group acting as the employer 

for the interviewed mule has been 11 set up in 1990 in New 
York, the USA by three enthusiasts who have financial 
education" just like [3]AF-GROUP LLC and its portfolio of 
brands, whose 30k [4]botnet operations I exposed and took 
down in May, 2009, next to establishing a direct connection 
between the botnet and an [5]Ukrainian dating scam 

agency known as "Confidential Connections"? 

Pretty simple - just like the efficiency-centered mentality 
applied in the [6]template-ization of [7]malware, the ongoing 
standardization of the money mule recruitment business 
model is resulting in a bogus brand portfolios using identical 
web site layouts next to the same copy writing materials 
offered by a single vendor exclusively working with money 
mule recruitment organizations only. A couple of years ago, 
the money mule recruitment process was largely inefficient 
due to the operational security applied - [8]not everyone 
could become a money mule unless certain 
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criteria was met. A newly launched managed money mule 
recruitment design agency that I've been monitoring for a 
while, is poised to help cybercriminals achieve faster 
recruitment rates based on the cybercriminal-tailored 
services it's offering. 

Whereas it's been operating beneath the radar for several 
years, exclusively serving known and trusted cyber¬ 
criminals, it's recent mainstream business model is a great 
example of a timely underground market proposition due to 
the fact that the current economic climate best suits the 
money mule recruitment business model due to its high 
commissions for processing fraudulently obtained money. 





Do you infiltrate the entire assembly line, or do you assess 
the final product? Appreciate my rhetoric as usual, it's full 
disclosure time, hence infiltrating the assembly line. 

In this post, we'll take a look at five templates offered by the 
managed money mule recruitment vendor, as¬ 
sess several of their customers currently using them to 
launch targeted and localized to German spam campaigns 

aiming to recruit new money mules, expose their entire 
domains portfolio and associated emails used for 
correspondence with prospective money mules. 

Moreover, we'll actually attempt to becoming a money mule 
by interacting with their market proposition, ob¬ 
tain the financial agent agreements, and expose little known 
facts about how sophisticated and social-engineering 
oriented the entire money mule recruitment process really is. 
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For starters, here's how the service describes itself, and what 
type of packages it offers to prospective money mule 
recruiters. The less sophisticated package is offered for $900 
and the corporate version goes for $1700. 

The first one offers the following: 

- fake company site in English 











































- template-based correspondence letters for the entire 
process 

- the entire document required for the process, custom forms, 
contracts, invoice applications etc. 

- a teach-yourself manual including advice and 
recommendations - available in English and Russian 

- sample spam letters in TXT and HTML, in English only 

The corporate version offers the following: 

- fake company site in several languages, for instance, Dutch, 
German, Bulgarian, Italian etc. 
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- fake signatures representing the CEO, accounts manager 
etc. 

- multiple spam letters in different languages 

- managed domain hosting 

- answering machine number as well as a paid Skype 
subscription as a bonus 

The following are some of the templates - blurred by the 
vendor in order to protect the bogus brands portfo- 







No - currently offered by the service. Three of the templates 
are already in circulation, that means active spamming in 
Italian and German "offering the Moon", and asking for your 
identity and financial reputation: 
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Upon purchasing any of the packages offered, a custom and 
non-existent brand logo and related company informa¬ 
tion will be used on the top of the templates currently 
offered. 

Let's expose some of the bogus brands using these 
campaigns, whose spamming campaigns have been actively 

recruiting new money mules over the past couple of months. 
For instance, the last template - see attached copy of the 
original one - is currently being used by a company known as 
Panin Real Estate - panestate .com - 194.0.200.15 











- Email: disperswave@gmail.com. The site is currently 
localized to English; Italian (panestate .com/index 
_it.html); and Spanish (panestate .com/index _sp.html). 

It gets even more interesting when we start analyzing their 
spam campaign, currently localized to German. 

For instance, it appears that the customer of the managed 
money mule recruitment service is using their basic 

package, since 99 % of their spam emails are using Gmail 
accounts, in fact, one of the spam campaigns is relying on 
the very same email that [9]the domain panestate .com 
has been registered with - disperswave@gmail.com. 
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A sample of the spammed recruitment email: 

11 Liebe Bewerber! Sind Sie schon mude von solchen 
Briefchen, in dem man Ihnen einen Arbeitspiatz anbietet? Ich 
weiss das. Deshalb mochte ich zuerst Sie um Verzeihung 
bitten. Ich habe aber eine freie Vakanz und mochte sie Ihnen 
anbieten. 

Wenn Sie noch keinen Arbeitspiatz gefunden haben, 
schreiben Sie bitte mir an meine E-mail Adresse: Als eine 
Bestatigung brauche ich auch CV und Ihre Telefonnummer, 
damit ich mich mit Ihnen in Verbindung setzen konnte. 

Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle weiteren 
Informationen bekommen Sie per E-Maii. Mit freundlichen 












Grusen" 


Related Gmail accounts used by Panin Real Estate 
money mule recruitment incorporated: 

[10] pancorporate @ gmail.com 

[11] paninwork @ gmail.com 

[12] paninde @ googlemail.com 

[13] panamajeld @ gmail.com 

[14] paninajob @ gmail.com 

[15] pananmakarriere @ gmail.com 

The same spam template localized in German is also 
known to have been used with the following Gmail ac- 
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counts, again operated by money-mule recruitment 
organizations: 

[16] trzzbuded @ gmail.com 

[17] robertojens @ gmail.com 

[18] gradtul @ gmail.com 

[19] hrmiket @ gmail.com 

[20] mike.torhr @ gmail.com 

[21] evkoreyds @ gmail.com 




[22] mike.torhr @ gmail.com 

[23] support @ oplusdevelopment.com - the only exception 

The [24]second template used in the wild - the site returns a 
404 error message - is called Green Star Services website, 
with the customer apparently still in a testing phrase. 

This cannot be said for yet another customer of the same 
service standardizing the money mule recruitment process 
by template-izing it. [25]The fifth template, is actually a 
bogus company called Brand image Advertising Agency 

(internationalbrandimage .com - 91.213.72.142 - Email: 
Sergey Stepanov; userovsky@gmail.com describing itself as: 

11 Advertising agency "Brand image " helps its clients to 
perform their products and services the right way We never 
offer you anything additional that we didn't discuss at the 
beginning. The motto of our work is honesty and we believe 
that this is a very important thing in advertising. 
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We were created to help you in selling products and services. 
"Brand image " typically attempts to assist you in building 
your brand by persuading potential customers to purchase or 
to consume more of your brand of product or service. It is 
vivid from the name of our agency that we are doing a lot for 
your brand. Actually we are constantly working at brand 
management. It is known that the value of the brand is 
determined by the amount of profit it generates for the 
manufacturer. Advertising agency "Brand image " clearly 
understands the main principles of brand name and will be 
glad to help you in choosing the right name for your 
company. 



Advertising agency "Brand image" proudly presents a great 
variety of services it provides. The main advan¬ 
tage of our work is that our management staff is always on¬ 
line and works 24/7 for your convenience. Moreover, our 
offices are located all over the Europe and in the USA that 
makes our work fast and comprehensive. First of ail let us 
introduce you what exactly we offer our clients. However if 
you happen to have any questions in understanding what 
this or that service means, you can always find our contacts 
and use them in communicating with us concerning our 
advertising offers. " 

Sample [26]spam message localized in Italian used to 
recruit for Brand Image Advertising Agency: 

11 Salary: 4,000 Euro; 10 % di ciascuna operazione di 
pagamento - conto personale 10 %; 15 % di ciascuna 
operazione di pagamento - conto corporativo 15 %; Location: 
Italy Accettazione dei pagamenti dai clienti nella vostra zona 

? Accepting payments from customers in your area? favorire 
a realizzare gii obiettivi finanziarie di Compagnia.Le 
condizioni di lavoro. II lavoro tranne internet - ufficio, e anche 
con le banche ei sistemi di trasferimenti veloci. Gii 
interessati ambosessi possono in via re CV con consenso a I 
trattamento dei dati persona I i (art. 13, d.lgs 196/03) e 
requisiti di contatto al e-mail. Se a Voi interessa questo 
lavoro, mandate il curriculum alia nostra: judicialHath- 
awayv?@gmail.com Cordialmente, Sincerely, David De 
Simone David De Simone" 
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A second template is known known to have been 
used, this time offering different commission: 

11 Rappresentante finanziario Informazioni di posti di lavoro 
Post Date: 12/04/2009 Salario: 3.000 EUR/mese + 5 % 

di ciascuna operazione di bonifico Location: Italia Generate 
Description Accettazione dei pagamenti dai clienti nella 
vostra zona e favor ire a realizzare gli obiettivi finanziarie di 
Compagnia. Le condizioni di lavoro II lavoro tranne internet - 
ufficio, e anche con le banche e i sistemi di trasferimenti 
veloci. Contact Details / Apply for this Job Se a Voi interessa 
questo lavoro, mandate il curriculum alia nostra 
individualpeoplecapita I group 7@googlemail. com 




individualpeople .biz/go.php?sid=7 In attesa di Vostro 
riscontro, sa/uti manager HR Robert J. Wilson" 

What we've got here is an identical spam template using a 
template offered by a managed money mule re- 

cruitent design vendor, that is advertising another bogus 
brand, with the domain name itself registered using 

the same detaisl as Brand Image Advertising Agency 

(internationalbrandimage .com - 91.213.72.142 - Email: 
Sergey Stepanov; userovsky@gmail.com). In the case of the 
localized to Italian spam message that's yet another 

bogus brand Individual People Capital Group, 
individualpeople .org - 91.213.72.142 - Email: Sergey 
Stepanov; userovsky@gmail.com. 

Individual People Capital Group describes itself as: 

11 The Individual People Capital Group Companies is one of 
the world's most experienced and successful investment 
management organizations. Our companies manage 
investments for millions of individuals and thousands of 

corporations and institutions. 

The Individual People Capital Group's largest components 
are: 
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• Individual People Funds, which ranks among the three 
largest mutual fund families in the U.S. - managed by 
Individual People Capital Research and Management 
Company, with assets under management of more than 
$750 



billion 


• Individual People Capital Guardian Trust Company and the 
Individual People Capital International companies — 

providers of global investment management services for 
institutional clients, consultants and individuals, with assets 
under management of approximately $300 billion 

For 75 years, we have followed a consistent philosophy and 
approach to generate consistent long-term investment 
results for our investors around the world. At the heart of our 
success is a commitment to a number of core beliefs: the 
importance of long-term investing, the value of in-depth 
global research, adherence to a disciplined investment 
management philosophy, and a code of ethics that 
emphasizes honesty and integrity " 

Known Gmail accounts participating in the money 
mule recruitment and exploit serving process 
courtesy of 

Individual People Capital Group: 

[27] groupindividualpeople @ gmail.com 

[28] newindividualpeople24 @ gmail.com 

[29] newworkgroupindividualpeople @ gmail.com 

[30] individualpeoplecapitalgroup9 @ googlemail.com 

[31] individualpeoplecapitalgroup8 @ googlemail.com 

[32] individualpeoplecapitalgroup7 @ googlemail.com 
individualpeoplecapitalgroup6 @ googlemail.com 



[33]individualpeoplecapitalgr @ googlemail.com 
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[34]As well as the following emails, once again 
maintained by the same customer: 

individualpeoplecapitalgroupl2 @ gmail.com 

individualpeoplecapitalgroupl3 @ gmail.com 

individualpeoplecapitalgroupl4 @ gmail.com 

individualpeoplecapitalgroupl2 @ gmail.com 




individualpeoplecapitalgroupi3 @ gmail.com 
individualpeoplecapitalgroupl4 @ gmail.com 
individualpeoplecapitalgroupl9 @ gmail.com 
individualpeople.one @ gmail.com 
people.individ @ gmail.com 
individ.people @ gmail.com 
individualpeople.too @ gmail.com 
new.individualpeople @ gmail.com 
individual.job.it @ gmail.com 
info.individualpeople @ gmail.com 
j.wilson.sup @ gmail.com 
new.individualpeople @ gmail.com 
people.individ @ gmail.com 
robert.jwn @ gogglemail.com 
robert.wilson.rl @ gmail.com 
robert.wil.r @ gmail.com 
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rob.wilson.r @ googlemail.com 

wilson.wrt @ gmail.com 

workgroupindividualpeople @ gmail.com 

There are cases when money mule recruiters are interested in 
plain simple botnet building, case in point is a 

situation where a spammed money mule spam message 
advertising [35]individualpeople .biz/go.php?sid = 7 was 

actually [36]serving a malicious PDF, next to linking to the 
recruitment site itself (individualpeople .org). 












In order to further demonstrate the ongoing standardizing of 
the money mule recruitment process through 

template-ization, it's time to expose the bogus brands 
portfolio, and associated domains of a money mule 
recruitment organization that has been relying on an 
identical template over the past couple of years. In fact, in 
May, 2009, a [37]botnet which was used by Ukrainian dating 
scam agency Confidential Connections was not only found 

to be directly related to the money mule recruitment gang, 
but the cybercriminals used one of the [38]recruitment 
domains as a command and control server for their botnet 
spamming operations, with the domain itself and one of the 
sampled dating scam ones registered under the same email. 

Brand names for Money Mule Organizations using a 
standardized template offered by a single vendor, all known 
to have been 11 set up in 1990 in New York , the USA by 
three enthusiasts who have financial education' : 

Affina Group Inc; Alliance Group Inc; Annuity Group Inc; 
Archway Group Inc; Armor Group Inc; Assurity Group Co; 
Assurity Group 628 



***** ?«•**< 



Inc; BFS Group Inc; CD I Group Inc; Cosco Group Inc; Dove 
Group Inc; Eagle Group Inc; Entrust Group Inc; Extreme 
Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group 
Inc; Invalda Group Inc; Key Group Inc; Liberty Group Inc; 
Lime Group Inc; Massive Group Inc; Mel son Group Inc; MENA 
Group Inc; O Pm Group Main; OPM Group Inc; 

Premier Group Inc; Prime Group Inc; Prospera Group Inc; 
Puritan Group Inc; Reach Group Inc; Redeye Group Inc; 





Regency Group Inc; Rengo Group Inc; River Group Inc; Saturn 
Group; Scope Group Inc; Stock Group Inc; Strol Group Inc; 
Summit Group Inc; Total Group Inc; Trans Group Inc; United 
Group Inc; Wescom Group Inc 

Parked on 222.35.137.237 are the following domains all 
using the "set up in 1990 in New York, the USA by three 
enthusiasts who have financial education" template: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 

affina-groupnet .com - Email: jelly@infotorrent.ru 
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affina-groupsvc .cc - Email: justin _dickerson@ymail.com 

affina-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

alliance-groupmain .cc - Email: stiv2009@yahoo.com 

annuity-groupnet .cc - Email: justin _dickerson@ymail.com 

assurity-groupco .cn - Email: realsupporters@yahoo.com 

bfs-groupinc .cc - Email: defrankpo@gmail.com 

cdi-groupmain .cn - Email: garry_honn@yahoo.com 

cosco-groupmain .com - Email: 
20090811112700@antispam.alantron.com 

diamond-dream .cc - Email: morgan.greg@yahoo.com 

dove-groupli .cn - Email: abuseemaildhcp@gmail.com 

dummykeath .cc - Email: morgan.greg@yahoo.com 



eagle-groupmain .cn - Email: 
AntwanHarringtonJI@gmail.com 

extreme-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

extreme-groupinc .com - Email: hell@e2mail.ru 

flatgroupfly .cc - Email: steven Jucas _2000@yahoo.com 

geniouspartner .cn - Email: morgan.greg@yahoo.com 

holding-group .cn - Email: ronny.greg@yahoo.com 

integrity-groupinc .cc - Email: justin 
_dickerson@ymail.com 

integrity-groupsvc .cn - Email: 
abuseemaildhcp@gmail.com 

keygroupmain .cn - Email: ErichSullivanKF@gmail.com 
libertygroup .cc - Email: LindseyKimSI@gmail.com 
lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
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Premier Group Inc 


S3 



massive-groupsvc .cc - Email: 
chen.poonl732646@yahoo.com 

massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com 
melson-groupmain .com - Email: enact@co5.ru 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
opm-group .cn - Email: AbdulStaffordEP@gmail.com 
opm-groupli .com - Email: entrap@namebanana.net 





premier-groupinc .cn - Email: abuseemaildhcp@gmail.com 

prime-groupco .com - Email: Email: fuzz@ml3.ru 

prime-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

puritan-groupco .cc - Email: justin _dickerson@ymail.com 
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com 
reach-group .cc - Email: rick_morris@yahoo.com 
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redeye-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

regency-groupco .cn - Email: abuseemaildhcp@gmail.com 

regency-groupnet .cc - Email: justin 
_dickerson@ymail.com 

regency-groupnet .cn - Email: 
abuseemaildhcp@gmail.com 

rengo-groupli .com - Email: jaded@co5.ru 

saturn-groupco .cn - Email: abuseemaildhcp@gmail.com 








scope-group .cc - Email: don.ram@yahoo.com 

scope-groupmain .cc - Email: don.ram@yahoo.com 

strol-groupli .cn - Email: abuseemaildhcp@gmail.com 

summit-groupinc .cc - Email: 
Gregory.Michell2009@yahoo.com 

theblackend .cn - Email: morgan.greg@yahoo.com 

vector-groupfine .cn - Email: abuseemaildhcp@gmail.com 

vector-groupfly .cc - Email: mr.freeddyy@yahoo.com 
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afimagroupnetcn 



Parked on 222.35.137.236: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 
affina-groupsvc .cc - Email: justin _dickerson@ymail.com 
annuity-groupllc .cn - Email: abuseemaildhcp@gmail.com 
annuity-groupllc .com - Email: jelly@infotorrent.ru 





annuity-groupnet .cc - Email: justin _dickerson@ymail.com 

annuity-groupnet .cn - Email: abuseemaildhcp@gmail.com 

archway-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

cosco-groupmain .com - Email: chug@freemailbox.ru 

extreme-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

integrity-groupinc .cc - Email: justin 
_dickerson@ymail.com 

integrity-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

integrity-groupsvc .com - Email: jelly@infotorrent.ru 
invalda-groupmain .cn - Email: rocco_invalda@yahoo.com 
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lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 

massive-groupsvc .cc - Email: 
chen.poonl732646@yahoo.com 

prime-groupco .cn - Email: abuseemaildhcp@gmail.com 
prime-groupco .com - Email: fuzz@ml3.ru 
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .com - Email: gone@corporatemail.ru 
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 








redeye-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

regency-groupnet .cc - Email: justin 
_dickerson@ymail.com 

regency-groupnet .cn - Email: 
abuseemaildhcp@gmail.com 

saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

saturn-groupsvc .com - Email: jelly@infotorrent.ru 

vision-groupinc .cn - Email: abuseemaildhcp@gmail.com 

vision-groupsvc .com - Email: 
abuseemaildhcp@gmail.com 
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aflina-groupsvc.cn 



222 35 136 0/21 


^ s — ► AS38356 


Parked on 222.35.137.235, registered with emails already 
covered: 

affina-groupsvc .cn 
annuity-groupnet .cn 
archway-groupinc .cn 
archway-groupinc .com 




cosco-groupmain .cn 
extreme-groupinc .cn 
extreme-groupinc .com 
integrity-groupinc .cc 
invalda-groupmain .cn 
prime-groupco .com 
prime-groupinc .cc 
puritan-groupco .cn 
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assurity-groupinc.cn 



222.35136.0/21 


AS ► AS38356 


puritan-groupinc .cn 
redeye-groupco .cn 
redeye-groupco .com 
redeye-groupinc .cc 
regency-groupco .com 




regency-groupnet .cn 
saturn-groupco .cn 
scope-group .cn 
scope-groupmain .cn 
vision-groupinc .cn 

Parked on 222.35.137.234, registered with emails already 
covered: 

affina-groupnet .cn 
annuity-groupllc .cn 
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archway-groupinc .cn 
cosco-groupmain .com 
integrity-groupinc .cn 
integrity-groupsvc .cn 
massive-groupsvc .cc 
premier-groupinc .cn 
premier-groupnet .cn 
prime-groupco .cn 
prime-groupinc .cn 
puritan-groupinc .com 



redeye-groupco .cn 
redeye-groupinc .cn 
regency-groupco .cn 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupsvc .cn 
saturn-groupsvc .com 
vision-groupinc .cn 
DNS servers of notice: 
ns2.dummykeath .cc 
ns2.theblackend .cn 
nsl.full-controll .cc 
ns3.geniouspartner .cn 
ns3.theblackend .cn 
nsl.party-reunite .cc 
ns2.bubble-preorder .info 
nsl.windcontrol .cc 
ns3.diamond-dream .cc 


ns.partnergreatest8 .net 



one.goldwonderful9 .info - the [39]command and control 
server used by the botnet managed by a money mule 
organization was using the same nameserver in May, 2009 
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(Q)<S>(@)c3>(@)c3>(g)<S>(@) 


Why «r« you gathering to much information about applicants? Such attention especially to bank account details puts me on guard. 


m You jre responsible for reliability of this information If you're having any difficulties please contact your bank 


Banking Details 


Account Type*! 

Bank Name*: 

Account Type (checking/saving)*: 
Name on the Account*: 

Account Number*: 

Routing Number for ACM transfer*: 

Routing Number for Federal Wire 
Transfer*: 

Date you opened your bank account*: 

How often do you use your bank 
account?*: 

Average amount of each operation*: 

Is it a prepaid account?*: 

Daily withdrawal limit over the 
counter* i 

Have you ever used Western 
Union/Money Gram**: 

Are there Money Gram offices in your 

area’*: 


Personal 


select • 


7 

? 

7 

? 

7 

? 

? 

7 


Next Step Back 


Once the end user falls victim into the recruitment scam, the 
entire process of registration and communication with the 
bogus organization takes place through a web-based 
interface where the potential money mules has to not only 
provide detailed personal data, but also, as much information 
as possible that would help the cybercriminals better achieve 
their objectives. For instance, the template for the money 
mule registration process includes a self-answered question 












which even the average user can get suspicious about - Why 
are you gathering so much information about applicants? 
Such attention especially to bank account details puts me on 
guard. 

The money mule recruitment organization is sticking 
to its professional tone, as usual, and explains that: 

11 In fact that modern financial system is a complex 
instrument, which controls financial streams. The problem is 
that any transfer may be delayed (from 1 to 5 days) but it is 
unacceptable for our business. Transaction should be 
completed by a financial manager the same day money is 
deposited into the bank account. Otherwise, we risk to 

lose money, clients, reputation. Analyzing all the 
details below we'll be able to prepare tasks for every 
agent 

individually. Please fill in all the fields carefully to avoid 
delays while working with your bank. The success of our 
cooperation depends on the accuracy of entered details! 
Please be serious. " 
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Employee Registration - Step 4 


I confirm that I have contacted my bank directly and verified that: 

D my banking information (Account and Routing numbers) are correct. 

| my daily withdrawal limit is in fact $10,000. 
n my current account listed is active, as it may become inactive due to inactivity, 
my account is able to receive funds on daily basis in the amount of $10,000. 


In addition I certify that: 

□ there is a branch of my bank located in my city/town and I am able to get there soon after task 
receipt. 

□ there are Western Union and Money Gram locations in my city/town and I am aware of their exact 
addresses. 

Next Step Back 

*tf you have any doubts or concerns to the above statements, please post-pone your registration until all of the information is 
verified. You carry full liability for providing falsified information. 

""Please bear in mind the Confidentiality Clause in your Agreement when contacting outside parties for information. 


2008 © Group Inc 


It gets even more interesting when the recruitment 
organization starts starts exposing itself as a cybercrime- 

facilitating enterprise, asking questions that only such an 
organization needs to known the answers to, due to 

operational security (OPSEC) and due to their clear 
understanding of the time value of money ([40]Microsoft 
study debunks profitability of the underground economy), 
well stolen money in particular. For instance, the built-in 

registration checks speak for themselves: 

- We don't work with recently opened accounts. For safery 
reasons your bank account must be 90+ days 









- Average number of operations per week required 

- Unfortunately we don't work with prepaid bank accounts 

- Maximum amount you can withdraw in branch daily 

The recruitment organization is clearly aware of basic quality 
assurance concepts, due to its surprising tactic used for 
monitoring the transaction process for each and every money 
mule working with them. How do they achieve this? 

By offering a $100 financial incentive as a bonus for 
each and every money mule that provides the bogus 
company with access to their online banking account 
so that the organization can monitor the transaction 
process remotely. 

It doesn't take a rocket scientist to conclude that even with a 
two-factor authentication requirement there are ways in 
which the organization can hijack the entire financial identity 
of the money mule without his/her knowledge. 
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Employee Registration - Step 4 



I'm feeling uncomfortable giving you my online banking detail*. Why do you need it? I'm worrying about unauthorized access to my 
bank account. 

We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in our 


- There «s nc n#ec tc check your bank account every hour during transaction#. your persona/ supervisor mil do it insfejd cf yen' Yen’ll be informed 
the same nunnts funds emve 

- Ne need to send us your bank account statement every week (msybe 2-3 times a week/ 

- IVe trust you much mere, yen'll receive money bonuses end mere trsnssetiens ' 

It is absolutely safe and legal. We guarantee that all personal details will stay safe. P ease read our Privacy Policy. NOTE: IT'S 
IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank account, you should contact 
your bank and activate this service. It veil take less than 10 minutes. 


Online Banking Details 

URL: 

Login: 

Password: 


http:// 


Next Step Skip This Step Back 


* At this moment we require online access to your bank account optionally but strongly recommend to apply with online banking 
details. NOTE: 


• agents with online access will have higher priority on getting new tasks (amounts are also larger) 

• agents with online access receive $100 BONUS to base salary every month 

Again, they answer to a common question even the most 
gullible end user would have - I'm feeling uncomfortable 
giving you my online banking details. Why do you need it? 
I'm worrying about unauthorized access to my bank account. 
A question to which they answer by citing increasing bonus 
rating within their system, and that your supervisor will be 
checking your account, thereby improving your trust 
relationship with the organization: 

11 We require online banking access to monitor deposits 
coming from our clients. It saves you much time and 
increase your rating in our system: 

- There is no need to check your bank account every hour 
during transactions, your personal supervisor will do it 
instead of you! You'll be informed the same minute funds 
arrive. 












- No need to send us your bank account statement every 
week (maybe 2-3 times a week). 

- We trust you much more, you'll receive money bonuses and 
more transactions! 

It is absolutely safe and legal. We guarantee that all personal 
details will stay safe. Please read our Privacy Policy. NOTE: 
IT'S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE 
ACCESS. If you have no online access to your bank account, 
you should contact your bank and activate this service. It will 
take less than 10 minutes. " 

The very idea that the money mule has reached the tipping 
point of its gullibility in order to provide the or¬ 
ganization with access to their bank account is surreal, but 
clearly possible since having reached point of the 
registration process means they have absolutely no idea 
what they're doing. 

The following are sample screenshots from the web interface 
used by the organization and the money mules 

themselves: 
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^ MY TASKS 


Task name > 





<2 Tr»nt»rt.on 136337 *** Op«n 

High 

09.01.2009 

18:36:10 

t b Admin 










® COMPLETE TASK 


Task name » 


£? Transaction 136337 


Further instructions ► 


> Status 

» Priority 

» Created 

► Comments 

^ ... . 09.01.2009 

° P *" M, « h 18:36:10 

iment b Admin 


Dear John Blackmore, 

We are glad to inform you about new task! Please review transfer details: 


Western Union orders details » 


Transfer type: 

First Name: 

Last Name: 

City: 

Country: 

Reference Number (MTCN)*: 
Western Union fee (USD) 4 ': 


Employes details » 


First Name*: 
Last Name*: 
City*: 
Country*: 


Comments: 


Fintsh transaction ] 


| John 


Blackmore 


N«v York 

United States 



Western Union 


Lora 


Welling 


Berlin 


■Jus . 54? _ 5754 ? 


600 | 
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^ COMPLETED TASKS 


Task name » 

» Status 

> Priority 

. Created 

» Comments 


& Transaction 136357 
a Transaction 136360 


Done High 


High 


09.01.2009 

18:46:50 

09.01.2009 

18:45:18 


nt by Admin 

No comment 


Done 
































































Q VIEW MESSAGE 

Message From/Date (GMT) ► 

Message Text ► 

Reply. 

Trash ► 

Supervisor 

Welcome! 



09.01.2009 18:49:39 

Dear John felackmore. 




We welcome you as a new employee. 

Reply 

Trash 


Sincerely, 

Personnel Supervisor 





Moreover, sample agreement that each and every money 
mule has to accepted before becoming part of the 

money mule recruitment network. A second agreement 
contract containing unique (Photoshop-ed) signing seal 

for each of the bogus brands has to be also signed, scanned 
and uploaded through their interface. Both of these 
agreements, including localized copies in several 
different languages can be purchased from the 
managed money mule recruitment vendor from $30 
to $70. Here's a sample of the agreement and tag clouds for 
the company description, the agreement itself and the FAQ: 
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transactions 
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DUTIES: 

The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 
bank account , withdraw cash and to effect payments to the 
Company's partners by Western Union or MoneyGram 

money transfer system within one (1) day He/she will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 
fulfill any other duties reasonably requested by the Company 
and agreed to by the Contractor. 

CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and specications owned or licensed by 
the Company and/or used by the Company in connection 



with the operation of its business including, without 
limitation, the Company's business and product processes, 
methods, customer lists, accounts and procedures. The 
Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them in any 
manner, either during the term of this Agreement or at any 
time thereafter. AH les, records, documents, blueprints, 
specications, information, letters, notes, media lists, original 
artwork/creative, notebooks, and similar items relating to the 
business of the Company, whether prepared by the 
Contractor or otherwise coming into his possession, shall 
remain the exclusive property of the Company. 

The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this. 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the 
condential nature of his relationship to the Company and of 
the services hereunder. If the Contractor releases any 

of the above information to any parties outside of this 
company, such as personal friend, dose relatives or 
other 

Financial Institutions such as a Bank or other 
Financial Firms, it could be grounds for immediate 
termination, if the Contractor is ever in doubt of what 
information can be released and when, the Contractor will 
contact their superior right away. 

TERMS OF ENGAGEMENT 
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BUSINESS 


ADDED 

NOTICE 
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send INFORMATION c ompen sation _ '«*** 

DETAILS HOURS 

REASON - -- 

SYSTEM 

OPERATIONS 

"COMMISSION 

^TRANSFER 

^FINANCIAL 


AMOUNTS AM0WT 

MEEK SOW'C® 

> TASKS PLEASE , «g‘"*“3KS 

UNION/MONEY 

M customers "■ 


CUKUKSUNCCS 


MORNING 

•3 COVERED 

WESTERN 


PAYMENT evert 

PARTNERS BASE yes 
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JOB 

BANNING 


■ ■■ ^ LEGALLY PAVMPNTC RECEIVE 

—^ACCOUNT 
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The Contractor is engaged by the Company on terms of 
thirty days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to 2300 USD 
per month 

plus 8 % commission from each payment processing 
operation. After the probationary period the Company 

agrees to revise and raise the base salary up to 3000 
USD. The Company has the right to cancel this Agreement at 
any time within the probationary period or refuse to extend it 
after that, should the Contractor refuses to fulfill his/her 
obligations under this Agreement or fulfills them not in good 
faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 



processed all previous payments and has no new 
instructions. 

COMPENSATION: 

The Company undertakes to pay taxes accrued in connection 
with money transfer. The Company shall also reimburse part 
of expenses which are incurred in connection with money 
transfer by Western Union or MoneyGram systems (should 
money transfer charges exceed 3 %, i. e. commission for 
payment processing operation). The above difference will be 
automatically added to the basic salary of the Contractor 
and paid once per month together with the basic salary. AH 
reasonable and approved out-of-pocket expenses which are 
incurred in connection with the performance of the duties 
hereunder shall be reimbursed by the Company during the 
term of this Agreement, against the bill presented by the 
Contractor. The Company shall have the right to decrease 
the Contractor's commission in case the payment processing 
terms were violated by the Contractor. 

Should the Contractor delays re-sending money accepted to 
his bank account for the period exceeding one (1) day 
without any explicit reason, the Company shall have the 
right to impose sanctions on the Contractor if only the delay 
has not been caused by the Force Majeur circumstances and 
to apply to the arbitration and claim for the reimburse of the 
amount transferred to his account or for compensation for 
other damage if any, evicted due to the delay. The 
Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance notice 644 




in writing to the Company in order that the latter may 
abstain from charging the Contractor with new instructions. 

However, salary for each day-off is deducted from the 
Contractor's base salary. 11 

Sample agreement that each and every potential money 
mule has to upload through the web interface, inter¬ 
estingly, each and every of the bogus brands has a custom 
made seal, part of the services offered by the managed 
vendor: 
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With such a professional attitude towards their work, now a 
process that's easily outsourced to vendors specializing 647 

























in quality design and bogus company creation services, their 
recruitment process is prone to reach new levels of efficiency, 
which is why standardization was applied at the first place. 
However, just like in the case of malware and scareware, 
template-ization undermines their operational security 
(OPSEC) a process which they're clearly aware, but do not 
fully utilize since money mule recruitment is currently in 
efficiency-mode. 

Knowing the transactions pattern for a money mule 
recruitment, one which is clearly visible while going through 
their agreements, can in fact make it easier for financial 
institutions to protect their customers from themselves 
before it gets too late and they unknowingly dive deep into 
the money mule recruitment business model. 

Related posts: 

[41] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[42] Money Mules Syndicate Actively Recruiting Since 2002 

[43] lnside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [44]Dancho Danchev's 
blog. 
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Standardizing the Money Mule Recruitment Process 
( 2009 - 10-06 09 : 23 ) 

[l]Ah, deja vu! How is it possible that the [2]Scope Group 
money mule recruitment group acting as the employer 

for the interviewed mule has been " set up in 1990 in New 
York, the USA by three enthusiasts who have financial 
education" just like [3]AF-GROUP LLC and its portfolio of 
brands, whose 30k [4]botnet operations I exposed and took 
down in May, 2009, next to establishing a direct connection 
between the botnet and an [5]Ukrainian dating scam 


agency known as "Confidential Connections"? 





Pretty simple - just like the efficiency-centered mentality 
applied in the [6]template-ization of [7]malware, the ongoing 
standardization of the money mule recruitment business 
model is resulting in a bogus brand portfolios using identical 
web site layouts next to the same copy writing materials 
offered by a single vendor exclusively working with money 
mule recruitment organizations only. A couple of years ago, 
the money mule recruitment process was largely inefficient 
due to the operational security applied - [8]not everyone 
could become a money mule unless certain 

criteria was met. A newly launched managed money mule 
recruitment design agency that I've been monitoring for a 
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while, is poised to help cybercriminals achieve faster 
recruitment rates based on the cybercriminal-tailored 
services it's offering. 

Whereas it's been operating beneath the radar for several 
years, exclusively serving known and trusted cyber¬ 
criminals, it's recent mainstream business model is a great 
example of a timely underground market proposition due to 
the fact that the current economic climate best suits the 
money mule recruitment business model due to its high 
commissions for processing fraudulently obtained money. 

Do you infiltrate the entire assembly line, or do you assess 
the final product? Appreciate my rhetoric as usual, it's full 
disclosure time, hence infiltrating the assembly line. 

In this post, we'll take a look at five templates offered by the 
managed money mule recruitment vendor, as¬ 
sess several of their customers currently using them to 
launch targeted and localized to German spam campaigns 

aiming to recruit new money mules, expose their entire 
domains portfolio and associated emails used for 
correspondence with prospective money mules. 

Moreover, we'll actually attempt to becoming a money mule 
by interacting with their market proposition, ob¬ 
tain the financial agent agreements, and expose little known 
facts about how sophisticated and social-engineering 
oriented the entire money mule recruitment process really is. 
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THANK YOU FOR YOUR BUSHES? 


For starters, here's how the service describes itself, and what 
type of packages it offers to prospective money mule 
recruiters. The less sophisticated package is offered for $900 
and the corporate version goes for $1700. 

The first one offers the following: 

- fake company site in English 










































- template-based correspondence letters for the entire 
process 

- the entire document required for the process, custom forms, 
contracts, invoice applications etc. 

- a teach-yourself manual including advice and 
recommendations - available in English and Russian 

- sample spam letters in TXT and HTML, in English only 

The corporate version offers the following: 

- fake company site in several languages, for instance, Dutch, 
German, Bulgarian, Italian etc. 

- fake signatures representing the CEO, accounts manager 
etc. 
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- multiple spam letters in different languages 

- managed domain hosting 

- answering machine number as well as a paid Skype 
subscription as a bonus 

The following are some of the templates - blurred by the 
vendor in order to protect the bogus brands portfo¬ 
lio - currently offered by the service. Three of the templates 
are already in circulation, that means active spamming in 
Italian and German "offering the Moon", and asking for your 
identity and financial reputation: 
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Upon purchasing any of the packages offered, a custom and 
non-existent brand logo and related company informa¬ 
tion will be used on the top of the templates currently 
offered. 

Let's expose some of the bogus brands using these 
campaigns, whose spamming campaigns have been actively 

recruiting new money mules over the past couple of months. 
For instance, the last template - see attached copy of the 
original one - is currently being used by a company known as 
Panin Real Estate - panestate .com - 194.0.200.15 











- Email: disperswave@gmail.com. The site is currently 
localized to English; Italian (panestate .com/index 
_it.html); and Spanish (panestate .com/index _sp.html). 

It gets even more interesting when we start analyzing their 
spam campaign, currently localized to German. 

For instance, it appears that the customer of the managed 
money mule recruitment service is using their basic 

package, since 99 % of their spam emails are using Gmail 
accounts, in fact, one of the spam campaigns is relying on 
the very same email that [9]the domain panestate .com 
has been registered with - disperswave@gmail.com. 
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A sample of the spammed recruitment email: 

11 Liebe Bewerber! Sind Sie schon mude von solchen 
Briefchen, in dem man Ihnen einen Arbeitspiatz anbietet? Ich 
weiss das. Deshalb mochte ich zuerst Sie um Verzeihung 
bitten. Ich habe aber eine freie Vakanz und mochte sie Ihnen 
anbieten. 

Wenn Sie noch keinen Arbeitspiatz gefunden haben, 
schreiben Sie bitte mir an meine E-mail Adresse: Als eine 
Bestatigung brauche ich auch CV und Ihre Telefonnummer, 
damit ich mich mit Ihnen in Verbindung setzen konnte. 

Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle weiteren 
Informationen bekommen Sie per E-Maii. Mit freundlichen 












Grusen" 


Related Gmail accounts used by Panin Real Estate 
money mule recruitment incorporated: 

[10] pancorporate @ gmail.com 

[11] paninwork @ gmail.com 

[12] paninde @ googlemail.com 

[13] panamajeld @ gmail.com 

[14] paninajob @ gmail.com 

[15] pananmakarriere @ gmail.com 

The same spam template localized in German is also 
known to have been used with the following Gmail ac¬ 
counts, again operated by money-mule recruitment 
organizations: 

[16] trzzbuded @ gmail.com 
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[17] robertojens @ gmail.com 

[18] gradtul @ gmail.com 

[19] hrmiket @ gmail.com 

[20] mike.torhr @ gmail.com 

[21] evkoreyds @ gmail.com 

[22] mike.torhr @ gmail.com 


[23]support @ oplusdevelopment.com - the only exception 




The [24]second template used in the wild - the site returns a 
404 error message - is called Green Star Services website, 
with the customer apparently still in a testing phrase. 

This cannot be said for yet another customer of the same 
service standardizing the money mule recruitment process 
by template-izing it. [25]The fifth template, is actually a 
bogus company called Brand image Advertising Agency 

(internationalbrandimage .com - 91.213.72.142 - Email: 
Sergey Stepanov; userovsky@gmail.com describing itself as: 

11 Advertising agency "Brand image" helps its clients to 
perform their products and services the right way We never 
offer you anything additional that we didn't discuss at the 
beginning. The motto of our work is honesty and we believe 
that this is a very important thing in advertising. 

We were created to help you in selling products and services. 
"Brand image" typically attempts to assist you 660 

in building your brand by persuading potential customers to 
purchase or to consume more of your brand of product or 
service. It is vivid from the name of our agency that we are 
doing a lot for your brand. Actually we are constantly 
working at brand management. It is known that the value of 
the brand is determined by the amount of profit it generates 
for the manufacturer. Advertising agency “Brand Image" 
clearly understands the main principles of brand name and 
will be glad to help you in choosing the right name for your 
company. 

Advertising agency "Brand Image" proudly presents a great 
variety of services it provides. The main advan¬ 
tage of our work is that our management staff is always on¬ 
line and works 24/7 for your convenience. Moreover, our 
offices are located all over the Europe and in the USA that 



makes our work fast and comprehensive. First of all let us 
introduce you what exactly we offer our clients. However if 
you happen to have any questions in understanding what 
this or that service means, you can always find our contacts 
and use them in communicating with us concerning our 
advertising offers. " 

Sample [26]spam message localized in Italian used to 
recruit for Brand Image Advertising Agency: 

11 Salary: 4,000 Euro; 10 % di ciascuna operazione di 
pagamento - conto personale 10 %; 15 % di ciascuna 
operazione di pagamento - conto corporativo 15 %; Location: 
Italy Accettazione dei pagamenti dai clienti nella vostra zona 

? Accepting payments from customers in your area? favorire 
a realizzare gli obiettivi finanziarie di Compagnia.Le 
condizioni di lavoro. II lavoro tranne internet - ufficio, e anche 
con le banche ei sistemi di trasferimenti veloci. Gli 
interessati ambosessi possono in via re CV con consenso a I 
trattamento dei dati persona I i (art. 13, d.lgs 196/03) e 
requisiti di contatto al e-mail. Se a Voi interessa questo 
lavoro, mandate il curriculum alia nostra: judicialHath- 
awayv?@gmail.com Cordialmente, Sincerely, David De 
Simone David De Simone" 
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A second template is known known to have been 
used, this time offering different commission: 

11 Rappresentante finanziario Informazioni di posti di lavoro 
Post Date: 12/04/2009 Salario: 3.000 EUR/mese + 5 % 

di ciascuna operazione di bonifico Location: Italia Generate 
Description Accettazione dei pagamenti dai clienti nella 
vostra zona e favor ire a realizzare gli obiettivi finanziarie di 
Compagnia. Le condizioni di lavoro II lavoro tranne internet - 
ufficio, e anche con le banche e i sistemi di trasferimenti 
veloci. Contact Details / Apply for this Job Se a Voi interessa 
questo lavoro, mandate il curriculum alia nostra 
individualpeoplecapita I group 7@googlemail. com 




individualpeople .biz/go.php?sid=7 In attesa di Vostro 
riscontro, sa/uti manager HR Robert J. Wilson" 

What we've got here is an identical spam template using a 
template offered by a managed money mule re- 

cruitent design vendor, that is advertising another bogus 
brand, with the domain name itself registered using 

the same detaisl as Brand Image Advertising Agency 

(internationalbrandimage .com - 91.213.72.142 - Email: 
Sergey Stepanov; userovsky@gmail.com). In the case of the 
localized to Italian spam message that's yet another 

bogus brand Individual People Capital Group, 
individualpeople .org - 91.213.72.142 - Email: Sergey 
Stepanov; userovsky@gmail.com. 

Individual People Capital Group describes itself as: 

11 The Individual People Capital Group Companies is one of 
the world's most experienced and successful investment 
management organizations. Our companies manage 
investments for millions of individuals and thousands of 

corporations and institutions. 

The Individual People Capital Group's largest components 
are: 

662 

• Individual People Funds, which ranks among the three 
largest mutual fund families in the U.S. - managed by 
Individual People Capital Research and Management 
Company, with assets under management of more than 
$750 



billion 


• Individual People Capital Guardian Trust Company and the 
Individual People Capital International companies — 

providers of global investment management services for 
institutional clients, consultants and individuals, with assets 
under management of approximately $300 billion 

For 75 years, we have followed a consistent philosophy and 
approach to generate consistent long-term investment 
results for our investors around the world. At the heart of our 
success is a commitment to a number of core beliefs: the 
importance of long-term investing, the value of in-depth 
global research, adherence to a disciplined investment 
management philosophy, and a code of ethics that 
emphasizes honesty and integrity " 

Known Gmail accounts participating in the money 
mule recruitment and exploit serving process 
courtesy of 

Individual People Capital Group: 

[27] groupindividualpeople @ gmail.com 

[28] newindividualpeople24 @ gmail.com 

[29] newworkgroupindividualpeople @ gmail.com 

[30] individualpeoplecapitalgroup9 @ googlemail.com 

[31] individualpeoplecapitalgroup8 @ googlemail.com 

[32] individualpeoplecapitalgroup7 @ googlemail.com 
individualpeoplecapitalgroup6 @ googlemail.com 



[33]individualpeoplecapitalgr @ googlemail.com 
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[34]As well as the following emails, once again 
maintained by the same customer: 

individualpeoplecapitalgroupl2 @ gmail.com 

individualpeoplecapitalgroupl3 @ gmail.com 

individualpeoplecapitalgroupl4 @ gmail.com 

individualpeoplecapitalgroupl2 @ gmail.com 




individualpeoplecapitalgroupi3 @ gmail.com 
individualpeoplecapitalgroupl4 @ gmail.com 
individualpeoplecapitalgroupl9 @ gmail.com 
individualpeople.one @ gmail.com 
people.individ @ gmail.com 
individ.people @ gmail.com 
individualpeople.too @ gmail.com 
new.individualpeople @ gmail.com 
individual.job.it @ gmail.com 
info.individualpeople @ gmail.com 
j.wilson.sup @ gmail.com 
new.individualpeople @ gmail.com 
people.individ @ gmail.com 
robert.jwn @ gogglemail.com 
robert.wilson.rl @ gmail.com 
robert.wil.r @ gmail.com 
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rob.wilson.r @ googlemail.com 

wilson.wrt @ gmail.com 

workgroupindividualpeople @ gmail.com 

There are cases when money mule recruiters are interested in 
plain simple botnet building, case in point is a 

situation where a spammed money mule spam message 
advertising [35]individualpeople .biz/go.php?sid = 7 was 

actually [36]serving a malicious PDF, next to linking to the 
recruitment site itself (individualpeople .org). 












In order to further demonstrate the ongoing standardizing of 
the money mule recruitment process through 

template-ization, it's time to expose the bogus brands 
portfolio, and associated domains of a money mule 
recruitment organization that has been relying on an 
identical template over the past couple of years. In fact, in 
May, 2009, a [37]botnet which was used by Ukrainian dating 
scam agency Confidential Connections was not only found 

to be directly related to the money mule recruitment gang, 
but the cybercriminals used one of the [38]recruitment 
domains as a command and control server for their botnet 
spamming operations, with the domain itself and one of the 
sampled dating scam ones registered under the same email. 

Brand names for Money Mule Organizations using a 
standardized template offered by a single vendor, all known 
to have been 11 set up in 1990 in New York , the USA by 
three enthusiasts who have financial education' : 

Affina Group Inc; Alliance Group Inc; Annuity Group Inc; 
Archway Group Inc; Armor Group Inc; Assurity Group Co; 
Assurity Group 665 
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Inc; BFS Group Inc; CD I Group Inc; Cosco Group Inc; Dove 
Group Inc; Eagle Group Inc; Entrust Group Inc; Extreme 
Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group 
Inc; Invalda Group Inc; Key Group Inc; Liberty Group Inc; 
Lime Group Inc; Massive Group Inc; Melson Group Inc; MENA 
Group Inc; O Pm Group Main; OPM Group Inc; 

Premier Group Inc; Prime Group Inc; Prospera Group Inc; 
Puritan Group Inc; Reach Group Inc; Redeye Group Inc; 





Regency Group Inc; Rengo Group Inc; River Group Inc; Saturn 
Group; Scope Group Inc; Stock Group Inc; Strol Group Inc; 
Summit Group Inc; Total Group Inc; Trans Group Inc; United 
Group Inc; Wescom Group Inc 

Parked on 222.35.137.237 are the following domains all 
using the "set up in 1990 in New York, the USA by three 
enthusiasts who have financial education" template: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 

affina-groupnet .com - Email: jelly@infotorrent.ru 
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affina-groupsvc .cc - Email: justin _dickerson@ymail.com 

affina-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

alliance-groupmain .cc - Email: stiv2009@yahoo.com 

annuity-groupnet .cc - Email: justin _dickerson@ymail.com 

assurity-groupco .cn - Email: realsupporters@yahoo.com 

bfs-groupinc .cc - Email: defrankpo@gmail.com 

cdi-groupmain .cn - Email: garry_honn@yahoo.com 

cosco-groupmain .com - Email: 
20090811112700@antispam.alantron.com 

diamond-dream .cc - Email: morgan.greg@yahoo.com 

dove-groupli .cn - Email: abuseemaildhcp@gmail.com 

dummykeath .cc - Email: morgan.greg@yahoo.com 



eagle-groupmain .cn - Email: 
AntwanHarringtonJI@gmail.com 

extreme-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

extreme-groupinc .com - Email: hell@e2mail.ru 

flatgroupfly .cc - Email: steven Jucas _2000@yahoo.com 

geniouspartner .cn - Email: morgan.greg@yahoo.com 

holding-group .cn - Email: ronny.greg@yahoo.com 

integrity-groupinc .cc - Email: justin 
_dickerson@ymail.com 

integrity-groupsvc .cn - Email: 
abuseemaildhcp@gmail.com 

keygroupmain .cn - Email: ErichSullivanKF@gmail.com 
libertygroup .cc - Email: LindseyKimSI@gmail.com 
lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com 


667 



Premier Group Inc 


S3 



massive-groupsvc .cc - Email: 
chen.poonl732646@yahoo.com 

massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com 
melson-groupmain .com - Email: enact@co5.ru 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
opm-group .cn - Email: AbdulStaffordEP@gmail.com 
opm-groupli .com - Email: entrap@namebanana.net 





premier-groupinc .cn - Email: abuseemaildhcp@gmail.com 

prime-groupco .com - Email: Email: fuzz@ml3.ru 

prime-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

puritan-groupco .cc - Email: justin _dickerson@ymail.com 
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com 
reach-group .cc - Email: rick_morris@yahoo.com 
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redeye-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

regency-groupco .cn - Email: abuseemaildhcp@gmail.com 

regency-groupnet .cc - Email: justin 
_dickerson@ymail.com 

regency-groupnet .cn - Email: 
abuseemaildhcp@gmail.com 

rengo-groupli .com - Email: jaded@co5.ru 

saturn-groupco .cn - Email: abuseemaildhcp@gmail.com 








scope-group .cc - Email: don.ram@yahoo.com 

scope-groupmain .cc - Email: don.ram@yahoo.com 

strol-groupli .cn - Email: abuseemaildhcp@gmail.com 

summit-groupinc .cc - Email: 
Gregory.Michell2009@yahoo.com 

theblackend .cn - Email: morgan.greg@yahoo.com 

vector-groupfine .cn - Email: abuseemaildhcp@gmail.com 

vector-groupfly .cc - Email: mr.freeddyy@yahoo.com 
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Parked on 222.35.137.236: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 

affina-groupsvc .cc - Email: justin _dickerson@ymail.com 

annuity-groupllc .cn - Email: abuseemaildhcp@gmail.com 

annuity-groupllc .com - Email: jelly@infotorrent.ru 

annuity-groupnet .cc - Email: justin _dickerson@ymail.com 

annuity-groupnet .cn - Email: abuseemaildhcp@gmail.com 

archway-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

cosco-groupmain .com - Email: chug@freemailbox.ru 


extreme-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

integrity-groupinc .cc - Email: justin 
_dickerson@ymail.com 

integrity-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

integrity-groupsvc .com - Email: jelly@infotorrent.ru 
invalda-groupmain .cn - Email: rocco_invalda@yahoo.com 
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lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 

massive-groupsvc .cc - Email: 
chen.poonl732646@yahoo.com 

prime-groupco .cn - Email: abuseemaildhcp@gmail.com 

prime-groupco .com - Email: fuzz@ml3.ru 

prime-groupinc .cn - Email: abuseemaildhcp@gmail.com 

puritan-groupinc .com - Email: gone@corporatemail.ru 

redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 

redeye-groupinc .cc - Email: 
chen.poonl732646@yahoo.com 

regency-groupnet .cc - Email: justin 
_dickerson@ymail.com 


regency-groupnet .cn - Email: 
abuseemaildhcp@gmail.com 

saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

saturn-groupsvc .com - Email: jelly@infotorrent.ru 

vision-groupinc .cn - Email: abuseemaildhcp@gmail.com 

vision-groupsvc .com - Email: 
abuseemaildhcp@gmail.com 
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Parked on 222.35.137.235, registered with emails already 
covered: 

affina-groupsvc .cn 
annuity-groupnet .cn 
archway-groupinc .cn 
archway-groupinc .com 
cosco-groupmain .cn 
extreme-groupinc .cn 
extreme-groupinc .com 
integrity-groupinc .cc 
invalda-groupmain .cn 
prime-groupco .com 


prime-groupinc .cc 
puritan-groupco .cn 
puritan-groupinc .cn 
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redeye-groupco .cn 
redeye-groupco .com 
redeye-groupinc .cc 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupco .cn 
scope-group .cn 
scope-groupmain .cn 
vision-groupinc .cn 

Parked on 222.35.137.234, registered with emails already 
covered: 

affina-groupnet .cn 
annuity-groupllc .cn 
archway-groupinc .cn 
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cosco-groupmain .com 
integrity-groupinc .cn 
integrity-groupsvc .cn 
massive-groupsvc .cc 
premier-groupinc .cn 
premier-groupnet .cn 
prime-groupco .cn 
prime-groupinc .cn 
puritan-groupinc .com 
redeye-groupco .cn 
redeye-groupinc .cn 
regency-groupco .cn 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupsvc .cn 
saturn-groupsvc .com 
vision-groupinc .cn 
DNS servers of notice: 
ns2.dummykeath .cc 


ns2.theblackend .cn 



nsl.full-controll .cc 


ns3.geniouspartner .cn 
ns3.theblackend .cn 
nsl.party-reunite .cc 
ns2.bubble-preorder .info 
nsl.windcontrol .cc 
ns3.diamond-dream .cc 
ns.partnergreatest8 .net 

one.goldwonderful9 .info - the [39]command and control 
server used by the botnet managed by a money mule 
organization was using the same nameserver in May, 2009 
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Once the end user falls victim into the recruitment scam, the 
entire process of registration and communication with the 
bogus organization takes place through a web-based 
interface where the potential money mules has to not only 
provide detailed personal data, but also, as much information 
as possible that would help the cybercriminals better achieve 
their objectives. For instance, the template for the money 
mule registration process includes a self-answered question 
which even the average user can get suspicious about - Why 
are you gathering so much information about applicants? 
Such attention especially to bank account details puts me on 
guard. 


The money mule recruitment organization is sticking 
to its professional tone, as usual, and explains that: 

" In fact that modern financial system is a complex 
instrument, which controls financial streams. The problem is 
that any transfer may be delayed (from 1 to 5 days) but it is 
unacceptable for our business. Transaction should be 
completed by a financial manager the same day money is 
deposited into the bank account. Otherwise, we risk to 

lose money, clients, reputation. Analyzing all the 
details below we'll be able to prepare tasks for every 
agent 

individually. Please fill in all the fields carefully to avoid 
delays while working with your bank. The success of our 
cooperation depends on the accuracy of entered details! 
Please be serious. " 
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It gets even more interesting when the recruitment 
organization starts starts exposing itself as a cybercrime- 

facilitating enterprise, asking questions that only such an 
organization needs to known the answers to, due to 

operational security (OPSEC) and due to their clear 
understanding of the time value of money ([40]Microsoft 
study debunks profitability of the underground economy), 
well stolen money in particular. For instance, the built-in 

registration checks speak for themselves: 

- We don't work with recently opened accounts. For safery 
reasons your bank account must be 90+ days 


- Average number of operations per week required 

- Unfortunately we don't work with prepaid bank accounts 

- Maximum amount you can withdraw in branch daily 

The recruitment organization is clearly aware of basic quality 
assurance concepts, due to its surprising tactic used for 
monitoring the transaction process for each and every money 
mule working with them. How do they achieve this? 

By offering a $100 financial incentive as a bonus for 
each and every money mule that provides the bogus 
company with access to their online banking account 
so that the organization can monitor the transaction 
process remotely. 

It doesn't take a rocket scientist to conclude that even with a 
two-factor authentication requirement there are ways in 
which the organization can hijack the entire financial identity 
of the money mule without his/her knowledge. 
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Again, they answer to a common question even the most 
gullible end user would have - I'm feeling uncomfortable 
giving you my online banking details. Why do you need it? 
I'm worrying about unauthorized access to my bank account. 
A question to which they answer by citing increasing bonus 
rating within their system, and that your supervisor will be 
checking your account, thereby improving your trust 
relationship with the organization: 

11 We require online banking access to monitor deposits 
coming from our clients. It saves you much time and 
increase your rating in our system: 


- There is no need to check your bank account every hour 
during transactions, your personal supervisor will do it 
instead of you! You'll be informed the same minute funds 
arrive. 

- No need to send us your bank account statement every 
week (maybe 2-3 times a week). 

- We trust you much more, you'll receive money bonuses and 
more transactions! 

It is absolutely safe and legal. We guarantee that all personal 
details will stay safe. Please read our Privacy Policy. NOTE: 
IT'S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE 
ACCESS. If you have no online access to your bank account, 
you should contact your bank and activate this service. It will 
take less than 10 minutes. " 

The very idea that the money mule has reached the tipping 
point of its gullibility in order to provide the or¬ 
ganization with access to their bank account is surreal, but 
clearly possible since having reached point of the 
registration process means they have absolutely no idea 
what they're doing. 

The following are sample screenshots from the web interface 
used by the organization and the money mules 


themselves: 


£ 
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Moreover, sample agreement that each and every money 
mule has to accepted before becoming part of the 

money mule recruitment network. A second agreement 
contract containing unique (Photoshop-ed) signing seal 

for each of the bogus brands has to be also signed, scanned 
and uploaded through their interface. Both of these 
agreements, including localized copies in several 
different languages can be purchased from the 
managed money mule recruitment vendor from $30 
to $70. Here's a sample of the agreement and tag clouds for 
the company description, the agreement itself and the FAQ: 

DUTIES: 

The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 
bank account, withdraw cash and to effect payments to the 
Company's partners by Western Union or MoneyGram 
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money transfer system within one (1) day He/she will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 


fulfill any other duties reasonably requested by the Company 
and agreed to by the Contractor. 

CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and sped cations owned or licensed by 
the Company and/or used by the Company in connection 
with the operation of its business including, without 
limitation, the Company's business and product processes, 
methods, customer lists, accounts and procedures. The 
Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them in any 
manner, either during the term of this Agreement or at any 
time thereafter. AH les, records, documents, blueprints, sped 
cations, information, letters, notes, media lists, original 
artwork/creative, notebooks, and similar items relating to the 
business of the Company, whether prepared by the 
Contractor or otherwise coming into his possession, shall 
remain the exclusive property of the Company. 

The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this. 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the con 
dential nature of his relationship to the Company and of the 
services hereunder. If the Contractor releases any 

of the above information to any parties outside of this 
company, such as personal friend, dose relatives or 
other 



Financial Institutions such as a Bank or other 
Financial Firms, it could be grounds for immediate 
termination. If the Contractor is ever in doubt of what 
information can be released and when, the Contractor will 
contact their superior right away 

TERMS OF ENGAGEMENT 

The Contractor is engaged by the Company on terms of 
thirty days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to 2300 USD 
per month 

plus 8 % commission from each payment processing 
operation. After the probationary period the Company 

agrees to revise and raise the base salary up to 3000 
USD. The Company has the right to cancel this Agreement 
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at any time within the probationary period or refuse to 
extend it after that, should the Contractor refuses to fulfill 
his/her obligations under this Agreement or fulfills them not 
in good faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 
processed all previous payments and has no new 
instructions. 

COMPENSATION: 

The Company undertakes to pay taxes accrued in connection 
with money transfer. The Company shall also reimburse part 
of expenses which are incurred in connection with money 


transfer by Western Union or MoneyGram systems (should 
money transfer charges exceed 3 %, i. e. commission for 
payment processing operation). The above difference will be 
automatically added to the basic salary of the Contractor 
and paid once per month together with the basic salary. All 
reasonable and approved out-of-pocket expenses which are 
incurred in connection with the performance of the duties 
hereunder shall be reimbursed by the Company during the 
term of this Agreement, against the bill presented by the 
Contractor. The Company shall have the right to decrease 
the Contractor's commission in case the payment processing 
terms were violated by the Contractor. 

Should the Contractor delays re-sending money accepted to 
his bank account for the period exceeding one (1) day 
without any explicit reason, the Company shall have the 
right to impose sanctions on the Contractor if only the delay 
has not been caused by the Force Majeur circumstances and 
to apply to the arbitration and claim for the reimburse of the 
amount transferred to his account or for compensation for 
other damage if any, evicted due to the delay. The 
Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance notice in 
writing to the Company in order that the latter may abstain 
from charging the Contractor with new instructions. 

However, salary for each day-off is deducted from the 
Contractor's base salary. 11 
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Sample agreement that each and every potential money 
mule has to upload through the web interface, inter- 


estingly, each and every of the bogus brands has a custom 
made seal, part of the services offered by the managed 
vendor: 
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With such a professional attitude towards their work, now a 
process that's easily outsourced to vendors specializing in 
quality design and bogus company creation services, their 
recruitment process is prone to reach new levels of efficiency, 
which is why standardization was applied at the first place. 
However, just like in the case of malware and scareware, 
template-ization undermines their operational security 
(OPSEC) a process which they're clearly aware, but do not 
fully utilize since money mule recruitment is currently in 
efficiency-mode. 

Knowing the transactions pattern for a money mule 
recruitment, one which is clearly visible while going through 
their agreements, can in fact make it easier for financial 
institutions to protect their customers from themselves 
before it gets too late and they unknowingly dive deep into 
the money mule recruitment business model. 

Related posts: 

[41] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[42] Money Mules Syndicate Actively Recruiting Since 2002 


[43]lnside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [44]Dancho Danchev's 
blog. 

1 . 

http://voices.washin a tonpost.com/securitvfix/2009/09/mone 
v mule recruitment 101.html 

2. http://www.bobbear.co.uk/scope- a rouo-inc.html76a00c340 

3. 

http://l.bp.blo as pot.com/ wICHhTiOmrA/ShwO a kTe6l/AAAA 
AAAADoo/IXs vl pK2QKM/sl600-h/af- a roup-llc. pna 

4. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a roups-spammin a .html 

5. http://ddanchev.blo as pot.com/2009/Q6/datin a-s pam- 
campai an- prornotes-bo a us.html 

6. http://ddanchev.blo as pot.com/2008/Q7/templateHzation- 
of-malware-servin a .html 

7. http://ddanchev.blo as pot.com/2009/Q2/template-ization- 
of-malware-servin a .html 

8. http://ddanchev.blo as pot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

9. http://lists.alioth.debian.or a/pi permail/ pka-a ames- 
devel/2009-Apri 1/011121.html 

10. http://forum.computerbetru a .de/finanz-und- 
warena a enten/56347-fi nanza a enten-werbemail.html 


684 


























































11. http://www.antisDam.de/forum/showthread. php? 
t=23791& paa e=2 


12. http://spam.tama a othi.de/2009/03/3Q/das-ist-esdein- 
traum i ob/ 

13. http://lists.alioth.debian.or g/pi permail/reportbu a- 
maint/2009-March/000766.html 

14. http://lists.debian.or a /debian-q t- 
kde/2009/03/ms a 00345.html 

15. 

http:// i uhuswelt.blo as pot.com/2009/03/panamakarriere.html 

16. http://66381.home paa emodules.de/t2932f66-Eine-freie- 
Vakanz-nur-fuer-Sie.html 


17. http://codespeak.net/ pi permail/ pvre pl-dev/2009- 
A pril/008001.html 

18. http://www.spamarchiv.com/2009/04/Q5/nach-einer- 
stelle- a esucht/ 

19. http://divine avps v.20six.co.uk/divine avps v/art/726546 

20. http://divine avps v.20six.co.uk/divine avps v/art/738174/- 
CSHSDHSHDHSUPNEWNSSSB 1 FCSHSDHSHDHSUPNEWNSSSB 
J£z 


21. http://codespeak.net/ pi permail/ pvre pl-dev/2009-April.txt 

22 . 

http://mailman.warwickcompsoc.co.uk/ pi permail/compsoc- 
techteam/2009-Apri 1/007 682.html 


23. http://www.antispam.de/forum/showthread. ph p?t=23791 
























































24. 

http://4.bp.blo as pot.com/ wlCHhTiOmrA/SspeVlfpF31/AAAAA 
AAAENI/zFzbkFVkrmE/sl600-h/monev_nnule_recruitment_ 

2. jeg 

25. 

http://2 .bp.blo as pot.com/_wlCFihTiOmrA/SspeoBdRq a l/AAAA 
AAAAEN a /PFIM R wFis4Q/sl600-h/monev mule recruitment 

Lj&g 

26. 

http://spammit.blo as ppt.cpm/2QQ9/Q9/internatipnalbrandima 

a ecom.html 

27. http://www.meinepetition.ch/forum-petition/read. php? 
id = 2750&debut=64 


28. http://www.tourmonterosa.com/forum/ pop profile.as p? 
mode=displav&id = 31 

29. http://webs.racocatala.cat/foratne a re/forum/index. php? 
action = print paae:to pic=665.0 

30. http://www.sferica.it/ pia na/topic.asp7TOPlC_lD=513 

31. http://www.assolonline.it/view. php7paa ina = 534 

32. http://www.albertocausin.it/forum/index. php? 
action = print paae:to pic= 19.0 

33. http://www.ital a rob.it/forum/viewtopic. php? 

P=108&sid = 078bad0d7b38bf85aae3ae07a93900dc 


34. http://www. pca uide.netsons.or a/w p/?p=589 






















































35. httD:// a oo a le.com/safebrowsin a /dia a nostic? 
site=individual people.biz/ 

36. http://www.000webhost.com/forum/customer- 
assistance/9146-please-help-mv-site-hacked.html 

37. http://ddanchev.blo as pot.com/2009/06/datin a-s oam- 
campai an- promotes-bo a us.html 

38. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a rouos-spammin a .html 

39. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a roups-soammin a .html 

40. htto://blo a s.zdnet.com/securit v/? p=3522 

41. http://ddanchev.blo as pot.com/2008/07/monev-mule- 
recruifers-use-asoroxs-fast.html 

42. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

43. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-soammin a .html 

44. http://ddanchev.blo as oot.com/ 

685 




Koobface Botnet Dissected in a TrendMicro Report 
( 2009 - 10-14 18 : 22 ) 

I'd like to thank the folks at [l]TrendMicro for mentioning the 
message inserted by the Koobface gang ([2]more love 






















































[3]on a first-name basis [4]from them) within their command 
and control infrastructure for nine days, [5]greeting me for 
systematically [6]kicking them out of their ISPs, and 
suspending their command and control domains, in a new 
report entitled [7]The Heart of Koobface - C &C and Social 
Network Propagation: 

11 This simplistic C &C approach is, of course, very vulnerable 
to takedowns. After several KOOBFACE C &C takedown 
attempts initiated by Internet service providers (ISPs) and 
members of the security industry, the KOOBFACE 

gang realized the need for a more robust C &C infrastructure. 

Thus, on July 19, 2009, the KOOBFACE writers implemented a 
new C &C architecture that involved the use of proxy nodes 
to provide redundancy and to improve the survivability of 
their C &C should another takedown be attempted. A few 
days after the new KOOBFACE C &C infrastructure was 
implemented, the botnet was seen inserting a message (see 
below) for one of the security researchers tracking the 
malware's domain activities. 

This message run lasted nine days from July 22 to July 30, 
2009. Based on this incident, we can safely assume that the 
KOOBFACE gang has been monitoring blogs, articles, write¬ 
ups, and analyses about their handiwork and was probably 
also keeping tabs on the various solutions deployed to 
counter the botnet's attacks. Second, these people were 
thus quick to act and fix their creation's weaknesses, as 
evidenced by its change in infrastructure. Finally, the 
botnet's creators were bold enough to send taunting 
messages to security researchers. " 
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Having the Koobface gang kicked out of their ISPs in 48 
hours through close cooperation with China's CERT; 

BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web 
Solutions Lie; Telos-Solutions-AS/Telos Solutions LTD, resulted 
in a single command and control domain which was active 
and using the services of UKSERVERS-MNT (AS42831), 

78 . 110 . 175.15 in particular. Simply put, the Koobface 
botnet and the hundreds of thousands of infected hosts were 
not just sitting ducks, but ducks who've fallen asleep in the 
middle of the hunting season. 

It's important to point out that the company (UKSERVERS- 
MNT) on purposely lied that the customer has been taken 
offline, allowed the Koobface gang to access the server since 
the gang claimed 11 it’s a compromised customer and needs 
to clean-up the mess", then on purposely stopped 
responding to the smoothly going data sharing process, 
thereby allowing the Koobface gang to put their contingency 
plan in place. 

The bottom line - based on already published and to-be 
published assessments of this group's activities, the 

Koobface botnet [8]appears to be only the [9]tip of the 
iceberg for the [10]Ali baba and the 40 thieves cybercrime 
enterprise - a self-describing [lljmessage included by the 
Koobface gang. Their activities also prove a point - a single 
cybercrime enterprise can efficiently and automatically 
dominate the entire Web 2.0 threatscape, if they want to. 

Related posts: 

[12] Koobface Botnet's Scareware Business Model 

[13] Movement on the Koobface Front - Part Two 



[14] Movement on the Koobface Front 

[15] Koobface - Come Out, Come Out, Wherever You Are 

[16] Dissecting Koobface Worm's Twitter Campaign 

[17] Dissecting the Koobface Worm's December Campaign 

[18] Dissecting the Latest Koobface Facebook Campaign 

[19] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [20]Dancho Danchev's 
blog. 

1. http://blo a .trendmicro.com/ 
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Koobface Botnet Dissected in a TrendMicro Report 
( 2009 - 10-14 18 : 22 ) 

I'd like to thank the folks at [l]TrendMicro for mentioning the 
message inserted by the Koobface gang ([2]more love 

[3]on a first-name basis [4]from them) within their command 
and control infrastructure for nine days, [5]greeting me for 
systematically [6]kicking them out of their ISPs, and 
suspending their command and control domains, in a new 
report entitled [7]The Heart of Koobface - C &C and Social 
Network Propagation: 

11 This simplistic C &C approach is, of course, very vulnerable 
to takedowns. After several KOOBFACE C &C takedown 
attempts initiated by Internet service providers (ISPs) and 
members of the security industry, the KOOBFACE 
























gang realized the need for a more robust C &C infrastructure. 

Thus, on July 19, 2009, the KOOBFACE writers implemented a 
new C &C architecture that involved the use of proxy nodes 
to provide redundancy and to improve the survivability of 
their C &C should another takedown be attempted. A few 
days after the new KOOBFACE C &C infrastructure was 
implemented, the botnet was seen inserting a message (see 
below) for one of the security researchers tracking the 
malware's domain activities. 

This message run lasted nine days from July 22 to July 30, 
2009. Based on this incident, we can safely assume that the 
KOOBFACE gang has been monitoring blogs, articles, write¬ 
ups, and analyses about their handiwork and was probably 
also keeping tabs on the various solutions deployed to 
counter the botnet's attacks. Second, these people were 
thus quick to act and fix their creation's weaknesses, as 
evidenced by its change in infrastructure. Finally, the 
botnet's creators were bold enough to send taunting 
messages to security researchers. 11 
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Having the Koobface gang kicked out of their ISPs in 48 
hours through close cooperation with China's CERT; 

BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web 
Solutions Lie; Telos-Solutions-AS/Telos Solutions LTD, resulted 
in a single command and control domain which was active 
and using the services of UKSERVERS-MNT (AS42831), 

78 . 110 . 175.15 in particular. Simply put, the Koobface 
botnet and the hundreds of thousands of infected hosts were 


not just sitting ducks, but ducks who've fallen asleep in the 
middle of the hunting season. 

It's important to point out that the company (UKSERVERS- 
MNT) on purposely lied that the customer has been taken 
offline, allowed the Koobface gang to access the server since 
the gang claimed 11 it's a compromised customer and needs 
to clean-up the mess", then on purposely stopped 
responding to the smoothly going data sharing process, 
thereby allowing the Koobface gang to put their contingency 
plan in place. 

The bottom line - based on already published and to-be 
published assessments of this group's activities, the 

Koobface botnet [8]appears to be only the [9]tip of the 
iceberg for the [10]Ali baba and the 40 thieves cybercrime 
enterprise - a self-describing [lljmessage included by the 
Koobface gang. Their activities also prove a point - a single 
cybercrime enterprise can efficiently and automatically 
dominate the entire Web 2.0 threatscape, if they want to. 

Related posts: 

[12] Koobface Botnet's Scareware Business Model 

[13] Movement on the Koobface Front - Part Two 

[14] Movement on the Koobface Front 

[15] Koobface - Come Out, Come Out, Wherever You Are 



[16] Dissecting Koobface Worm's Twitter Campaign 

[17] Dissecting the Koobface Worm's December Campaign 

[18] Dissecting the Latest Koobface Facebook Campaign 

[19] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [20]Dancho Danchev's 
blog. 
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Scareware Serving Conficker.B Infection Alerts Spam 
Campaign (2009-10-20 18:51) 

A fake [l]"conficker.b infection alert" spam campaign first 
observed in April, 2009 (using the following scareware 
domains antivirus-av-ms-check .com; antivirus-av-ms- 
checker .com; ms-anti-vir-scan .com; mega-antiviral- 
ms .com back then) is once again circulating in an attempt 
to trick users into installing "antispyware application", in 
this case the [2]Antivirus Pro 2010 scareware. 

This campaign is directly related to [3]last week's Microsoft 
Outlook update campaign, with both of these us¬ 
ing [4]identical download locations for the scareware. 

The following is an extensive list of the domains involved in 
the campaigns: 

abumaso3tkamid .com - Email: drawn@ml3.ru 



















afedodevascevo .com - Email: sixty@8081.ru 
alertonabert .com - Email: flop@infotorrent.ru 
alertonbgabert .com - Email: vale@e2mail.ru 
alioneferkilo .com - Email: va@blogbuddy.ru 
anobalukager .com - Email: chalkov@co5.ru 
anobhalukager .com - Email: humps@infotorrent.ru 
bufertongamoda .com - Email: kurt@8081.ru 
buhafertadosag .com - Email: bias@co5.ru 
buhervadonuska .com - Email: vale@e2mail.ru 
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bulakeskatorad .com - Email: bias@co5.ru 
bulerkoseddasko .com - Email: bias@co5.ru 
buleropihertan .com - Email: def@co5.ru 
celiminerkariota .com - Email: morse@corporatemail. 
certovalionas .com - Email: kurt@8081.ru 
dabertugaburav .com - Email: def@co5.ru 
elxolisdonave .com - Email: curb@cheapmail.ru 
enkafuleskohuj .com - Email: kerry@freemailbox.ru 
ertanueskayert .com - Email: xmas@co5.ru 
ertonaferdogalo .com - Email: kerry@freemailbox.ru 



ertu6nagertos .com - Email: recipe@isprovider.ru 
ertubedewse .com - Email: weak@infotorrent.ru 
ertugasedumil .com - Email: chalkov@co5.ru 
ertugaskedumil .com - Email: humps@infotorrent.ru 
ertunagertos .com - Email: def@co5.ru 
erubamerkadolo .com - Email: kerry@freemailbox.ru 
fedostalonkah .com - Email: bias@co5.ru 
ftahulabedaso .com - Email: raced@corporatemail.ru 
gumertagionader .com - Email: seize@e2mail.ru 
huladopkaert .com - Email: chute@infotorrent.ru 
iobacebauiler .com - Email: roy@corporatemail.ru 
itorkalione .com - Email: pygmy@8081.ru 
julionejurmon .com - Email: jacob@freemailbox.ru 
julionermon .com - Email: pygmy@8081.ru 
konitorsabure .com - Email: chalkov@co5.ru 
konitorswabure .com - Email: humps@infotorrent.ru 
lersolamaderg .com - Email: chalkov@co5.ru 
lersolamgaderg .com - Email: humps@infotorrent.ru 
linkertagubert .com - Email: kerry@freemailbox.ru 
lionglenhrvoa .com - Email: sixty@8081.ru 



liposdakoferda .com - Email: leaf@corporatemail.ru 
lopastionertu .com - Email: cues@e2mail.ru 
nebrafsofertu .com - Email: humps@infotorrent.ru 
nuherfodaverta .com - Email: morse@corporatemail.ru 
nulerotkabelast .com - Email: dealt@8081.ru 
nulkersonatior .com - Email: dealt@8081.ru 
obuleskinrodab .com - Email: xmas@co5.ru 
ofaderhabewuit .com - Email: kerry@freemailbox.ru 
okavanubares .com - Email: chalkov@co5.ru 
okaveanubares .com - Email: humps@infotorrent.ru 
onagerfadusak .com - Email: cues@e2mail.ru 
orav4abustorabe .com - Email: drawn@ml3.ru 
oscaviolaner .com - Email: larks@freemailbox.ru 
ovuiobvipolak .com - Email: sixty@8081.ru 
ovuioipolak .com - Email: bias@co5.ru 
paferbasedos .com - Email: chalkov@co5.ru 
pafersbasedos .com - Email: humps@infotorrent.ru 
polanermogalios .com - Email: dealt@8081.ru 
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rdafergfvacex .com - Email: jacob@freemailbox.ru 
rtugamer5tobes .com - Email: drawn@ml3.ru 
rtugamertobes .com - Email: kw@co5.ru 
scukonherproger .com - Email: kazoo@isprovider.ru 
shuretrobaniso .com - Email: frail@infotorrent.ru 
tarhujelafert .com - Email: raced@corporatemail.ru 
tavakulio5nkab .com - Email: recipe@isprovider.ru 
tavakulionkab .com - Email: def@co5.ru 
tertunavogav .com - Email: la@freemailbox.ru 
tertunwavogav .com - Email: drawn@ml3.ru 
tsabunerkadosa .com - Email: humps@infotorrent.ru 
tsarbunerkadosa .com - Email: humps@infotorrent.ru 
tubanerdavaf .com - Email: chalkov@co5.ru 
tubanerdavjaf .com - Email: halkov@co5.ru 
uhajokalesko .com - Email: f1op@infotorrent.ru 
uhajokvfalesko .com - Email: flop@infotorrent.ru 
ulioperdanogad .com - Email: vale@e2mail.ru 
uliopewrdanogad .com - Email: kerry@freemailbox.ru 
uplaserdunavats .com - Email: dealt@8081.ru 
utka3merdosubor .com - Email: drawn@ml3.ru 



utkamerdosubor .com - Email: kw@co5.ru 
utorganedoskaw .com - Email: kerry@freemailbox.ru 
utorgtanedoskaw .com - Email: xmas@co5.ru 
uvgaderbotario .com - Email: def@co5.ru 
vudermaguliermot .com - Email: leaf@corporatemail.ru 
vuilerdomegase .com - Email: leaf@corporatemail.ru 
vuilleskomandar .com - Email: seize@e2mail.ru 
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vulertagulermos .com - Email: dealt@8081.ru 

vuretronulevka .com - Email: dealt@8081.ru 

weragumasekasuke .com - Email: kazoo@isprovider.ru 

werynaherdobas .com - Email: dealt@8081.ru 

Despite the comprehensive portfolio of domains used, 
relying on spam to increase revenue from scareware 

sales is prone to fail, in this specific case due to the lack of 
event-based social engineering theme, something that was 
present in the first campaign. 

Related posts: 

[5] Conficker's Scareware/Fake Security Software Business 
Model 

[6] Koobface Botnet's Scareware Business Model 



This post has been reproduced from [7]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/7 p=4674 

2 . 

http://www.virustotal.com/analisis/d3d77586778a25be86b5 

bc30b293b56abc280f22512d725a36f7ee0c5432e6c2- 

12560 

51197 

3. http://www.trusteer.com/files/Zeus- 
OWA Advisorv_Qct_2009.pdf 

4. http://blo a. Purewire.com/bid/21391/Fake-Microsoft- 
Outlook-Updates-Spread-Ro a ue-AV 

5. http://ddanchev.blo as pot.com/2009/Q4/confickers- 
scarewarefake-securitv.html 

6. http://ddanchev.blo as pot.com/2009/Q9/koobface-botnets- 
scareware-business.html 

7. http://ddanchev.blo as pot.com/ 
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Koobface Botnet Redirects Facebook's IP Space to 
my Blog (2009-10-21 22:28) 

Love me, love me, say that you love me. You know you're 
cherished when the Koobface botnet redirects Facebook 



























Inc's entire IP space to your blog using HTTP Error 302 - 
Moved temporarily messages in an attempt to have 

Facebook's anti-malware crawlers hit my blog every time 
they visit a Koobface URL posted on the social networking 
site. 

The result? Earlier this morning, I've noticed over 7,000 
unique visits coming from Facebook Inc's IP space using 
active and automatically blogspot accounts part of the 
Koobface botnet as http referrers ([l]New Koobface 
campaign spoofs Adobe's Flash updater), which is now 
officially [ 2 ] re I y i n g on already infected hosts for the 
CAPTCHA recognition process. At first, I thought the 
Koobface gang has embedded an iFrame in order to achieve 
the effect, but the 

requests were coming from Facebook's IP space only. 

A representative from Facebook's Security Incident 
Response Team just confirmed the development, and 
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commented that they've added an exception, which is now 
visible since IPs from Facebook's IP space are no longer 
visiting my blog: 

" Thanks for bringing this to our attention. I'm on the 
Security Incident Response team at Facebook and we just 
finished looking into this issue. We visit all links posted to 
Facebook as part of our link preview feature. We also take 
the opportunity to do some additional security screening to 
filter out bad content. Koobface in particular is fond of 


redirecting our requests to legitimate websites, and you 
seem to have done something to piss Koobface off. All 

visits to Koobface URLs from our IP space are 
currently being redirected to your blog. " 

The compete list of the automatically registered blogspot 
accounts, of whose existence Google's security team has 
already been notified are as follows: 

lrykutviklingibtvedmongstad-vgnett .blogspot.com/ 
40-nrg .blogspot.com/ 
anyauujteykbrlzyt .blogspot.com/ 
bctdnvxyubozkute336 .blogspot.com/ 
bjfzibzxpjwfsri.blogspot .com/ 
bopscfmfdfkdcdk.blogspot .com/ 
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bpucrtkuigcvuzd.blogspot .com/ 

dcljxlmkdpfyadlmk014.blogspot .com/ 

driwnhtqcifnewwy.blogspot .com/ 

fffgxdpmrhzepmwcl72.blogspot .com/ 

frjutygrfzkfmumr.blogspot .com/ 

gbmasakrnbvduky-mhopomuytpmeo46. blogspot 
.com/ 

hmxmjrdpzncnania.blogspot .com/ 



hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/ 
hxsdrjrbiesmulbp-mp775012.blogspot .com/ 
hz560607.blogspot .com/ 

irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot 

.com/ 

isaqwpccpkvmmnffx.blogspot .com/ 
iunvrafuvbgykpap819.blogspot .com/ 
ixqowmtgwfvkaapq.blogspot .com/ 
jocdniqudpnszswn936.blogspot .com/ 
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/ 
kayaafwlllybvydpu.blogspot .com/ 
kfddbjhalrqkmqtoa.blogspot .com/ 
kutlvtfxkxbismwpci.blogspot .com/ 
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/ 
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kzbcbzhlgcnmmaveusdt2.blogspot .com/ 
lbwhvnvfmiwqypft-gt34676.blogspot .com/ 
Igjxsfcwkviythet.blogspot .com/ 
Ivlcauoimpklqoj.blogspot .com/ 


moruokuamhtobznhwx.blogspot .com/ 
nfnnialisemtirdcq.blogspot .com/ 
pfmrjjvolrxsthdl.blogspot .com/ 
pywkyzxqcslnqyz907.blogspot .com/ 
qmhbxydgxfitnaosp.blogspot .com/ 
rfsnkstagwfwlkgr.blogspot .com/ 
rykutviklingibtvedmongstad-vgnett .blogspot.com/ 
scjftnvmcqiarvt-ni242558.blogspot .com/ 
skpjwfruzkzujvw.blogspot .com/ 
spfymrxnfiotvtrknf.blogspot .com/ 
sxcfugyjtvtwgxzvi.blogspot .com/ 
tbgkfbllzdtrcslpc741.blogspot .com/ 
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unrrldfyuanstafa.blogspot .com/ 
vstikrflawgquztcn.blogspot .com/ 
wjfpuoiolcjvecszeb.blogspot .com/ 
wlaafuebvmdkaiavh.blogspot .com/ 
wnejhokyqkazwpu898.blogspot.com/ 
wqqcknikrlnowgri.blogspot .com/ 


xlmwrzdmywbibfwi742.blogspot .com/ 


yanksroadwinchangesalcsoutlook-mlbcom 

.blogspot.com/ 

yeqhabdnabhndbt.blogspot .com/ 

yzyweidzwor-cxgwufvosfam .blogspot.com/ 

zafxzlatzsmwysk.blogspot .com/ 

znfnxeaoiqhxldvmqo-atcsqbrkobwi408 

.blogspot.com/ 

zqsvjeoqccknkfubc.blogspot .com/ 

The Koobface gang's use of basic blackhat SEO principles 
such as content cloaking are identical to their previous 
attempts to cover-up their malicious activities relying on 
pre-defined sets of http referrers of public search engines, or 
particular redirectors in order for their infections to take 
place. 
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Stay tuned for more developments on the [3]Ali Baba and 
the 40 thieves LLC front, a.k.a as [4]my Ukrainian 

"fan club". The circle is almost complete, a lot of recent 
events will be summarized shortly. 

Related posts: 

[5] Koobface Botnet Dissected in a TrendMicro Report 

[6] Koobface Botnet's Scareware Business Model 

[7] Movement on the Koobface Front - Part Two 



[8] Movement on the Koobface Front 

[9] Koobface - Come Out, Come Out, Wherever You Are 

[10] Dissecting Koobface Worm's Twitter Campaign 

[11] Dissecting the Koobface Worm's December Campaign 

[12] Dissecting the Latest Koobface Facebook Campaign 

[13] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [14]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v/? p=4594 

2. http://www.fin i an.com/MCRCblo a .aspx7Entrvld = 2317 

3. http://4.bp.blo as pot.com/_wlCHhTiOmrA/SrEu v- 
LR3 l/AAAAAAAAEKY/0MVRF a dlAQM/sl600- 
h/koobface_scareware_5. pna 

4. http://ddanchev.blo as pot.com/2QQ9/lQ/koobface-botnet- 
dissected-in-trendmicro.html 

5. http://ddanchev.blo as pot.com/20Q9/lQ/koobface-botnet- 
dissected-in-trendmicro.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q9/koobface-botnets- 
scareware-business.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q8/movement-on- 
koobface-front-part-twQ.html 

8. http://ddanchev.blo as pot.com/2QQ9/Q8/movement-on- 
koobface-front.html 

































9. http://ddanchev.blo as pot.com/2QQ9/Q7/koobface-come- 
out-come-out-wherever-vou.html 


10. http://ddanchev.blo as pot.com/2QQ9/Q7/dissectin a- 
koobface-worms-twitter.html 


11. http://ddanchev.blo as pot.com/2QQ8/12/dissectin a- 
koobface-worms-december.html 


12. http://ddanchev.blo as pot.com/2QQ8/ll/dissectin a- 
latest-koobface-facebook.html 


13. http://ddanchev.blo as pot.com/2QQ8/12/koobface- a an a 
mixin g -social-en a ineerin a .html 

14. http://ddanchev.blo as pot.com/ 
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Koobface Botnet Redirects Facebook's IP Space to 
my Blog (2009-10-21 22:28) 

Love me, love me, say that you love me. You know you're 
cherished when the Koobface botnet redirects Facebook 

Inc's entire IP space to your blog using HTTP Error 302 - 
Moved temporarily messages in an attempt to have 

Facebook's anti-malware crawlers hit my blog every time 
they visit a Koobface URL posted on the social networking 
site. 

The result? Earlier this morning, I've noticed over 7,000 
unique visits coming from Facebook Inc's IP space using 























active and automatically blogspot accounts part of the 
Koobface botnet as http referrers ([l]New Koobface 
campaign spoofs Adobe's Flash updater), which is now 
officially [ 2 ] re I y i n g on already infected hosts for the 
CAPTCHA recognition process. At first, I thought the 
Koobface gang has embedded an iFrame in order to achieve 
the effect, but the 

requests were coming from Facebook's IP space only. 

A representative from Facebook's Security Incident 
Response Team just confirmed the development, and 

commented that they've added an exception, which is now 
visible since IPs from Facebook's IP space are no longer 
visiting my blog: 
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" Thanks for bringing this to our attention. I'm on the 
Security Incident Response team at Facebook and we just 
finished looking into this issue. We visit all links posted to 
Facebook as part of our link preview feature. We also take 
the opportunity to do some additional security screening to 
filter out bad content. Koobface in particular is fond of 
redirecting our requests to legitimate websites, and you 
seem to have done something to piss Koobface off. All 

visits to Koobface URLs from our IP space are 
currently being redirected to your blog. " 

The compete list of the automatically registered blogspot 
accounts, of whose existence Google's security team has 
already been notified are as follows: 


lrykutviklingibtvedmongstad-vgnett .blogspot.com/ 
40-nrg .blogspot.com/ 
anyauujteykbrlzyt .blogspot.com/ 
bctdnvxyubozkute336 .blogspot.com/ 
bjfzibzxpjwfsri.blogspot .com/ 
bopscfmfdfkdcdk.blogspot .com/ 
bpucrtkuigcvuzd.blogspot .com/ 
dcljxlmkdpfyadlmk014.blogspot .com/ 
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driwnhtqcifnewwy.blogspot .com/ 

fffgxdpmrhzepmwcl72.blogspot .com/ 

frjutygrfzkfmumr.blogspot .com/ 

gbmasakrnbvduky-mhopomuytpmeo46.blogspot 

.com/ 

hmxmjrdpzncnania.blogspot .com/ 
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/ 
hxsdrjrbiesmulbp-mp775012.blogspot .com/ 
hz560607.blogspot .com/ 

irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot 

.com/ 

isaqwpccpkvmmnffx.blogspot .com/ 



iunvrafuvbgykpap819.blogspot .com/ 
ixqowmtgwfvkaapq.blogspot .com/ 
jocdniqudpnszswn936.blogspot .com/ 
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/ 
kayaafwlllybvydpu.blogspot .com/ 
kfddbjhalrqkmqtoa.blogspot .com/ 
kutlvtfxkxbismwpci.blogspot .com/ 
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/ 
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kzbcbzhlgcnmmaveusdt2.blogspot .com/ 
lbwhvnvfmiwqypft-gt34676.blogspot .com/ 
Igjxsfcwkviythet.blogspot .com/ 
Ivlcauoimpklqoj.blogspot .com/ 
moruokuamhtobznhwx.blogspot .com/ 
nfnnialisemtirdcq.blogspot .com/ 
pfmrjjvolrxsthdl.blogspot .com/ 
pywkyzxqcslnqyz907.blogspot .com/ 
qmhbxydgxfitnaosp.blogspot .com/ 
rfsnkstagwfwlkgr.blogspot .com/ 


rykutviklingibtvedmongstad-vgnett .blogspot.com/ 
scjftnvmcqiarvt-ni242558.blogspot .com/ 
skpjwfruzkzujvw.blogspot .com/ 
spfymrxnfiotvtrknf.blogspot .com/ 
sxcfugyjtvtwgxzvi.blogspot .com/ 
tbgkfbllzdtrcslpc741.blogspot .com/ 
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unrrldfyuanstafa.blogspot .com/ 

vstikrflawgquztcn.blogspot .com/ 

wjfpuoiolcjvecszeb.blogspot .com/ 

wlaafuebvmdkaiavh.blogspot .com/ 

wnejhokyqkazwpu898.blogspot.com/ 

wqqcknikrlnowgri.blogspot .com/ 

xlmwrzdmywbibfwi742.blogspot .com/ 

yanksroadwinchangesalcsoutlook-mlbcom 

.blogspot.com/ 

yeqhabdnabhndbt.blogspot .com/ 
yzyweidzwor-cxgwufvosfam .blogspot.com/ 
zafxzlatzsmwysk.blogspot .com/ 


znfnxeaoiqhxldvmqo-atcsqbrkobwi408 

.blogspot.com/ 

zqsvjeoqccknkfubc.blogspot .com/ 

The Koobface gang's use of basic blackhat SEO principles 
such as content cloaking are identical to their previous 
attempts to cover-up their malicious activities relying on 
pre-defined sets of http referrers of public search engines, or 
particular redirectors in order for their infections to take 
place. 

706 

Stay tuned for more developments on the [3]Ali Baba and 
the 40 thieves LLC front, a.k.a as [4]my Ukrainian 

"fan club". The circle is almost complete, a lot of recent 
events will be summarized shortly. 

Related posts: 

[5] Koobface Botnet Dissected in a TrendMicro Report 

[6] Koobface Botnet's Scareware Business Model 

[7] Movement on the Koobface Front - Part Two 

[8] Movement on the Koobface Front 

[9] Koobface - Come Out, Come Out, Wherever You Are 

[10] Dissecting Koobface Worm's Twitter Campaign 

[11] Dissecting the Koobface Worm's December Campaign 

[12] Dissecting the Latest Koobface Facebook Campaign 



[13]The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [14]Dancho Danchev's 
blog. 
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LR3 l/AAAAAAAAEKY/0MVRF a dlAQM/sl600- 
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6. http://ddanchev.blo as pot.com/2QQ9/Q9/koobface-botnets- 
scareware-business.html 
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Ongoing FDIC Spam Campaign Serves Zeus 
Crimeware (2009-10-27 23:46) 

UPDATED - Wednesday, October 28, 2009: A "New 
Facebook Login System" spam campaign is in circulation, 
launched by the same botnet. Sampled [l]updatetool.exe 
once again interacts with the Zeus command and control 

at [2]193.104.27.42. 

Message sample 01: " In an effort to make your online 
experience safer and more enjoyable, Facebook will be 
implementing a new login system that will affect all 
Facebook users. These changes will offer new features and 
increased account security Before you are able to use the 
new login system, you will be required to update your 
account. A new Facebook Update Tool has been released for 
your account. Please download and install the tool using the 
link below. " 

Message sample 02: " Dear Facebook user, In an effort to 
make your online experience safer and more enjoyable, 
Facebook will be implementing a new login system that will 
affect all Facebook users. These changes will offer new 
features and increased account security. Before you are 













able to use the new login system, you will be required to 
update your account. Click here to update your account 
online now. If you have any questions, reference our New 
User Guide. Thanks, The Facebook Team" 
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Participating fast-fluxed domains include: 

easderle.co .uk 
easderlg.co .uk 
easderll.co .uk 
easderlm.co .uk 
easderlq.co .uk 
nytre4rt.co .uk 
nytre4ru.co .uk 
nyuyl2qwa.co .uk 
nyuyl2qwf.co .uk 
nyuyl2qwg.co .uk 
nyuyl2qws.co .uk 
nyuyl2qwz.co .uk 
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ololii.co .uk 


ololiw.co .uk 


ololiy.co .uk 
ololiz.co .uk 
tygerah.co .uk 
tygerak.co .uk 
tygeraw.co .uk 
tygeraz.co .uk 
yhlqak.co .uk 
yhlqal.co .uk 
yhlqao.co .uk 
yhaqwela.co .uk 
yhaqwelq.co .uk 
yhaqwelr.co .uk 
yhaqwilg.co .uk 
yhaqwilh.co .uk 
yhaqwill.co .uk 
yhaqwilm.co .uk 
yhaqwilp.co .uk 
yhhherasde.co .uk 
yhhherasdp.co .uk 



yhhheraski.co .uk 
yhhheraskog.co .uk 
yhhheraskol.co .uk 
yhhheraskoy.co .uk 
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nlllsae .eu 
nlllsak.eu 
nlllsap.eu 
nlllsaq .eu 
nlllsay.eu 
nlllsaz.eu 
nyuhlawa .eu 
nyuhlawb .eu 
nyuhlawc .eu 
nyuhlawd .eu 
nyuhlawe .eu 
nyuhlawf .eu 
nyuhlawg .eu 
nyuhlawh .eu 
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nyuhlawm .eu 
nyuhlawn .eu 
nyuhlaws .eu 
nyuhlawt .eu 
nyuhlawv .eu 
nyuhlawx .eu 
nyuhlawz .eu 
nyuyl2qwf .eu 
nyuyl2qwg .eu 
nyuyl2qws .eu 
nyuyl2qws .eu 
ololii .eu 
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ololiw .eu 
ololiy .eu 
ololiz .eu 
rrreflaaz .eu 


rrreflakz .eu 


rrreflokz .eu 


rrreflykz.eu 
rrrefjokz .eu 
saaasak .eu 
saaasav .eu 
tygerah .eu 
tygerak .eu 
tygeraw .eu 
ujihkei .eu 
ujihkni .eu 
ujihkoi .eu 
ujihkui .eu 
yhlqao .eu 
yhlqaz.eu 
yylazsva .eu 
yylazsvq .eu 
yylazsvz.eu 
yyylasvf.eu 
yyylazsy .eu 
yyylazvg .eu 



yyylzsve .eu 

New DNS servers of notice: 

nsl.a-recruitmnt .com 
nsl.applesilver .com 
nsl.cheryks .com 
nsl.barbaos.net 
nsl.laktocountry .net 

An ongoing [3]spam campaign impersonating The Federal 
Deposit Insurance Corporation, is attempting to 

drop zeus samples by enticing users into installing 
[4]pdf.exe and [5]word.exe. 

" Subject: FDIC has officially named your bank a failed 
bank 

Body: You have received this message because you are a 
holder of a FDIC-insured bank account. 

Recently 

FDIC has officially named the bank you have opened your 
account with as a failed bank, thus, taking control of its 
assets. You need to visit the official FDIC website and 
perform the following steps to check your Deposit Insurance 
Coverage. " 
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Sampled malware obtains a Zeus crimeware from a known 
command and control location (193.104.27.42), already 

[6]blacklisted by the Zeus Tracker. The campaign is related 
to the periodical "Microsoft Outlook Update" campaigns, 
since both campaigns have been [7]sharing fast-flux 
infrastructure under the same infected hosts, using identical 
domains. 

Fast-fluxed domains participating in the FDIC spam 
campaign: 

bbttyak.co .uk 

bbttyak.org .uk 

bbttyam.co .uk 

bbttyam.me .uk 

bbttyap.co .uk 

bbttyap.me .uk 

bbttyaz.co .uk 

bbttyaz.me .uk 

gerrahawa .eu 

gerrahowa .eu 

gerrakawa .eu 

gerrakowa .eu 

gerralowa .eu 



gerraoowa .eu 


gerraoowa .eu 
gerrasasa .eu 
gerrasase .eu 
gerrasasq .eu 
hlerfae .eu 
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hlerfai .eu 
hlerfaj .eu 
hlerfaq .eu 
hlerfar .eu 
hlerfat .eu 
hlerfau .eu 
hlerfaw.eu 
hlerfay .eu 
heiiikok .eu 
heiiikoy .eu 
heiiikul .eu 


heiiikum .eu 



heiiikuv .eu 


heiiikuy .eu 
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idllsit .com 
ijltli .net 
immikiutl .cz 
jltliil .com 
jltliil .eu 
jltliil .net 
Ijltli .com 
Ijltli .net 
Ijltli .com 
Ijltli .net 
Itlill .com 
Itlill .net 
modesftp .eu 
nniujil .eu 
nniujih .eu 
nniujol .eu 


nniukif .eu 



nniukih .eu 


nniukik .eu 
nniukiw .eu 
nniukiz .eu 
nniuxih .eu 
nniuxiw .eu 
pouikib .eu 
pouikic .eu 
pouikie .eu 
pouikif .eu 
pouikig .eu 
pouikir .eu 
pouikis .eu 
pouikit .eu 
pouikiv .eu 
pouikiw .eu 
pouikix .eu 
pouikiy .eu 
tlfliil .tc 
tjlfiil.co .nz 



tjlfiil .com 
tjlfiil .net 
tjlfiil .tc 

716 


£ 


DNS servers of notice: 

nsl.doctor-tomb .com 
nsl.sortyn .com 
nsl.asthomes .com 
nsl.sunriseliny .com 
nsl.racing-space .net 
nsl.cerezit .net 

The phoneback location 193.104.27.42 at AS12604 
maintained by Kamushnoy Vladimir Vasulyovich 
(info@ctgm.info; 

via.kam@ctgm.info with ctgm.info responding to 
91.213.72.1) is the second Zeus command and control IP 
within the netblock, [8]followed by 193.104.27.90. 

Related posts: 

[9] Fake Microsoft patches themed malware campaigns 
spreading 

[10] Fake Microsoft patch malware campaign makes a 
comeback 


[11] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

[12] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[13] Managed Fast Flux Provider - Part Two 

[14] Managed Fast Flux Provider 

[15] Storm Worm's Fast Flux Networks 

[16] Fast Flux Spam and Scams Increasing 

[17] Fast Fluxing Yet Another Pharmacy Spam 

[18] Obfuscating Fast Fluxed SQL Injected Domains 

[19] Storm Worm Hosting Pharmaceutical Scams 

[20] Fast-Fluxing SQL injection attacks executed from the 
Asprox botnet 

This post has been reproduced from [21 JDancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/2aQ1152f68fdQ7fd3c362 

3cld640bl4384da836bf47fbef5b61dddl4c946bb7e-12567 

39274 

2. https://zeustracker.abuse.ch/monitor. pho? 
host=193.1Q4.27.42 

3. http:// a arwamer.blo as pot.com/2009/10/fake-fdic-spam- 
campai a n-spreads-zeus.html 












4. 


http://www.virustotal.com/analisis/9c81ead54aeeba88fllc7 

4444c63873f76d6882b265095a94ebdee5c3e7a64a5- 

12566 
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5. 

http://www.virustotal.com/analisis/02cee27d4fcf8e888329b 

Qd95c923853472cb6acab40e7b076a0c8e6fl3eed44- 
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78537 

6. https://zeustracker.abuse.ch/monitor. ohp? 
host=193.1Q4.27.42 
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7. http://hphosts.blo as pot.com/2QQ9/lQ/warnin a-u pdate-for- 
microsoft-outlook.html 


8. https://zeustracker.abuse.ch/monitor. php? 
host=193.1Q4.27.9Q 

9. httP://blo a s.zdnet.com/securit v/? p = 3648 

10. http://blo a s.zdnet.com/securit v/? p=3916 

11. http://ddanchev.blo as pot.com/2QQ9/Q7/multitaskin a- 
fast-flux-botnet-that.html 


12. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
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14. http://ddanchev.blo as oot.com/2QQ7/ll/mana a ed-fast- 
f1ux-orovider.html 

15. http://ddanchev.blo as pot.com/2QQ7/Q9/storm-worms- 
fast-f1ux-networks.html 


16. http://ddanchev.blo as pot.com/2QQ7/lQ/fast-f1ux-spam- 
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17. http://ddanchev.blo as pot.com/2QQ7/lQ/fast-f1uxin a-vet- 
another-pharmacv-scam.html 

18. http://ddanchev.blo as pot.com/2QQ8/Q7/obfuscatin a -fast- 
f1uxed-sal-in i ected.html 

19. http://ddanchev.blo as pot.com/2QQ8/Q5/storm-worm- 
hostin a- pharmaceutical-scams.html 

20. http://blo a s.zdnet.com/secu rit v/? p=1122 

21. http://ddanchev.blo as pot.com/ 
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Summarizing Zero Day's Posts for October (2009-11- 
02 23:29) 

The following is a brief summary of all of my posts at 
ZDNet's [ljZero Day for October. 









































You can also go through [2]previous summaries, as well as 
subscribe to my [3]personal RSS feed or [4]Zero 

Day's main feed. 

Notable articles include: [5]Does software piracy lead to 
higher malware infection rates? and [6]New LoroBot 

ransomware encrypts files, demands $100 for decryption. 

01. [7]MS Security Essentials test shows 98 % detection 
rate for 545k malware samples 

02. [8]Weak passwords dominate statistics for Hotmail's 
phishing scheme leak 

03. [9]Click fraud facilitating Bahama botnet steals ad 
revenue from Google 

04. [10]New Koobface campaign spoofs Adobe's Flash 
updater 

05. [ll]Does software piracy lead to higher malware 
infection rates? 

06. [12]Commonwealth fined $100k for not mandating 
antivirus software 

07. [13]'Evil Maid' USB stick attack keylogs TrueCrypt 
passphrases 

08. [14]Fake 'Conflicker.B Infection Alert' spam campaign 
drops scareware 

09. [15]Gawker Media tricked into featuring malicious 
Suzuki ads 



10. [16]New LoroBot ransomware encrypts files, demands 
$100 for decryption 

11. [17]Spooky Halloween - scareware or crimeware? 
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12. [18]Phishing experiment sneaks through all anti-spam 
filters 

This post has been reproduced from [19]Dancho Danchev's 
blog. 
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Pricing Scheme for a DDoS Extortion Attack (2009- 
11-03 10:58) 

With the average price for a DDoS attack on demand 
decreasing due to the evident over-supply of malware 
infected hosts, it should be fairly logical to assume that the 
"on demand DDoS" business model run by the 
cybercriminals performing such services is blossoming. 

Interestingly, what used to be a group that was exclusively 
specializing in DDoS attacks, is today's cybercrime 
enterprise "[ljvertically integrating" in order to occupy as 
many underground market segments as possible, all of 
which originally developed thanks to the "malicious 
economies of scale" ([2]massive SQL injections through 
[3]search engines' reconnaissance, [4]standardizing the 
social engineering process, the [5]money mule recruitment 
process, 






















[6]diversifying the standardized and well proven 
propagation/infection vectors etc.) offered by a botnet. 

What if their DDoS for hire business model is experiencing a 
decline? Would [7]penetration pricing save them? What if 
they start enforcing a [8]differentiated pricing model for 
their services through DDoS extortion? 

Let's discuss one of those groups that's been actively 
attempting to extort money from Russian web sites 

since the middle of this summer. From penalty fees, to 30 % 
discount if they want to request DDoS for hire against their 
competitors, a discount only available if they've actually 
paid the 10,000 rubles monthly extortion fee at the first 
place - this gang is also including links to the web sites of 
Russian's Federal Security Service (FSB) and Russia's 
Ministry of the Interior stating " in order to make it easy for 
the victims to contact law enforcement'. 

Sample DDOS extortion letter: 

11 Hello. If you want to continue having your site operational, 
you must pay us 10 000 rubles monthly. Attention! 

Starting as of DATE your site will be a subject to a DDoS 
attack. Your site will remain unavailable until you pay us. 

The first attack will involve 2,000 bots. If you contact the 
companies involved in the protection of DDoS-attacks and 
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they begin to block our bots, we will increase the number of 
bots to 50 000, and the protection of 50 000 bots is very, 
very expensive. 



1st payment (10 000 rubles) Must be made no later than 
DATE. AH subsequent payments (10 000 rubles) Must be 
committed no later than 31 (30) day of each month starting 
from August 31. Late payment penalties will be charged 100 
% for each day of delay. 

For example, if you do not have time to make payment on 
the last day of the month, then 1 day of you will 

have to pay a fine 100 %, for instance 20 000 rubles. If you 
pay only the 2 nd date of the month, it will be for 30 000 

rubles etc. Please pay on time, and then the initial 10 000 
rubles offer will not change. Penalty fees apply to your first 
payment - no later than DATE" 

You will also receive several bonuses. 

1. 30 % discount if you request DDoS attack on your 
competitors/enemies. Fair market value ddos attacks a 
simple site is about $100 per night, for you it will cost only 
70 $ per day. 

2. If we turn to your competitors / enemies, to make an 
attack on your site, then we deny them. 

Payment must be done on our purse Yandex-money number 
41001474323733. Every month the number will 

be a new purse, be careful. About how to use Yandex-money 
read on www.money.yandex.ru. If you want to apply to law 
enforcement agencies, we will not discourage you. We even 
give you their contacts: www.fsb.ru,www.mvd.ru " 

It's also worth pointing out that a huge number of "boutique 
vendors" of DDoS services remain reluctant to initiate DDoS 
attacks against government or political parties, in an 



attempt to stay beneath the radar. This mentality prompted 
the inevitable development of "aggregate-and-forget" type 
of botnets exclusively aggregated for customer-tailored 
propositions who would inevitably get detected, shut down, 
but end up harder to trace back to the original source 
compared to a situation where they would be DDoS the 
requested high-profile target from the very same botnet that 
is closely monitored by the security community. 

The future of DDoS extortion attacks, however, looks a bit 
grey due the numerous monetization models that 

cybercriminals developed - for instance ransomware, which 
attempts to scale by extorting significant amounts of money 
from thousands of infected users in an automated and much 
more efficient way than the now old-fashioned 

DDoS extortion model. 

Related posts: 

[9] Botnet Communication Platforms 

[10] Custom DDoS Capabilities Within a Malware 

[11] A New DDoS Malware Kit in the Wild 

[12] Botnet on Demand Service 

[13] The DDoS Attack Against CNN.com 

[14] A Botnet Master's To-Do List 

[15] Custom DDoS Attacks Within Popular Malware 
Diversifying 


[16]Using Market Forces to Disrupt Botnets 



[17] Web Based Botnet Command and Control Kit 2.0 

[18] DDoS Attack Graphs from Russia vs Georgia's 
Cyberattacks 

[19] The DDoS Attack Against Bobbear.co.uk 

[20] Russian Homosexual Sites Under (Commissioned) DDoS 
Attack 
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Koobface Botnet's Scareware Business Model - Part 
Two (2009-11-11 19:03) 

UPDATED - Wednesday, November 18, 2009: A [l]new 
update is pushed to the hundreds of thousands infected 

hosts, which is now performing the redirection using 
dynamically generated .swf files, with every page using the 
same title "Wonderful Video". The redirection is also a 
relatively static process. 

For instance, if the original koobface redirector is 

koobface.infected.host/301, followed by the .swf 
redirection it will output koobface.infected.host/301/? 
go. 

New redirectors and scareware domains pushed within the 
past few hours include - everlastmovie .cn - Email: 
gmk2000@yahoo.com; smile-life .cn - Email: 
gmk2000@yahoo.com ; harry-pott .cn - Email: 
gmk2000@yahoo.com, 

[2] beprotected9 .com - Email: essi@calinsella.eu and 

[3] antivir3 .com - Email: essi@calinsella.eu. 

UPDATED - Tuesday, November 17, 2009: Koobface is 
[presuming scareware (Inst_312s2.exe) operations at 

[5]91.212.107.103 which was taken offline for a short period 
of time. ISP has been notified again, action should be taken 
shortly. The current domain portfolio including new ones 
parked there: 

ereuqba .cn - Email: spscript@hotmail.com 


eqoxyda .cn - Email: spscript@hotmail.com 
evouga .cn - Email: spscript@hotmail.com 
edivuka .cn - Email: spscript@hotmail.com 
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ebeama .cn - Email: spscript@hotmail.com 
kebugac .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
kixyhce .cn - Email: spscript@hotmail.com 
cecyde .cn - Email: spscript@hotmail.com 
evybine .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
byzivte .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
cafgouh .cn - Email: spscript@hotmail.com 
kebfoki .cn - Email: spscript@hotmail.com 
ebogumi .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 



dusyti .cn - Email: spscnpt@hotmail.com 
dutsyvi .cn - Email: spscript@hotmail.com 
dutfij .cn - Email: spscript@hotmail.com 
bysivak .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 
cecxoyk .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
edamym .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
cerdiko .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etywuq .cn - Email: spscript@hotmail.com 
ebejar .cn - Email: spscript@hotmail.com 
ebiuhas .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 



eqoybu .cn - Email: spscript@hotmail.com 
eviyzru .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
eboezu .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscript@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
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cafropy .cn - Email: spscript@hotmail.com 
etyupy .cn - Email: spscript@hotmail.com 
kebquty .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
eqouwy .cn - Email: spscript@hotmail.com 
epuvyiz .cn - Email: spscript@hotmail.com 



UPDATED - Monday, November 16, 2009: The Koobface 
gang is pushing [6]a new update, followed by a new 

portfolio of scareware redirectors and actual scareware 
serving domains. 

New portfolio of redirectors parked at [7]91.213.126.250: 
befree2 .cn - Email: gmk2000@yahoo.com 
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
moored2009 .cn - Email: cael@newstile.it 
pica-pica .cn - Email: cael@newstile.it 
stroboscopicmovie .cn - Email: cael@newstile.it 
comedienne .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
furorcorner .cn - Email: cael@newstile.it 
ionisationtools .cn - Email: guzimi@brendymail.de 
wax-max .cn - Email: cael@newstile.it 
plate-tracery .cn - Email: guzimi@brendymail.de 
little-bitty .cn - Email: admin@calen.be 
night-whale .cn - Email: admin@calen.be 
scary-scary .cn - Email: gmk2000@yahoo.com 
Second redirectors portfolio at [8]91.213.126.102: 



disorganizationOOO .cn - Email: guzimi@brendymail.de 

rainbowlike .cn - Email: HuiYingTsui@airways.au 

skewercall .cn - Email: HuiYingTsui@airways.au 

wegenerinfo .cn - Email: guzimi@brendymail.de 

kangaroocar .cn - Email: HuiYingTsui@airways.au 

pericallis .cn - Email: HuiYingTsui@airways.au 

treasure-planet .cn - Email: guzimi@brendymail.de 

genusbiz .cn - Email: HuiYingTsui@airways.au 

Currently [9]pushing scareware from primescanl .com - 
[10]83.133.124.149; [11]91.213.126.103; 

[12] 83.133.119.84; 

[13] 85.12.24.13. [14]Sampled scareware phones [15]back 

to windowsupdate8 .com/download/timesroman.tif - 

88.198.105.145 and angle-meter .com/?b=l 
(safewebnetwork .com) - 92.48.119.36. 

More scareware domains are parked on the same IPs: 

yourantivira7 .com - Email: j.wirth@smsdetective.com - 

[16] detection rate 

web-scanm .com - Email: essi@calinsella.eu - 

[17] detection rate 

yourantivira3 .com (wwwsecurescanal .com) - Email 
j.wirth@smsdetective.com 


primescan8 .com 



online-check-vll .com 


antivir-scanl .com - Email: contact@armadastate.us 
antispy-scanl .com - Email: contact@armadastate.us 

primescanl .com 
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checkforspyware2 .com - Email: admin@calen.be 

pc-antispyware3 .com - Email: contact@spaintours.com 

premium-protection6 .com - Email: 
contact@spaintours.com 

antivir7 .com - Email: admin@maternitycloth.eu 

online-check-v7 .com 

beprotected8 .com - Email: admin@maternitycloth.eu 
pc-antispyware9 .com - Email: contact@spaintours.com 

online-check-v9 .com 

checkfileshere .com - Email: admin@calen.be 
scanfileshere .com - Email: admin@calen.be 
antivir-scano .com - Email: contact@armadastate.us 
check-files-now .com - Email: admin@calen.be 
antivir-scanz .com - Email: contact@armadastate.us 
antispy-scanz .com - Email: contact@armadastate.us 



ISP's contributing the the monetization of Koobface have 
been notified. 

UPDATE: 91.212.107.103 has been taken offline courtesy 
of Blue Square Data Group Services Limited - [18]previous 
cooperation took place within a 3 hour period - with the 
Koobface gang migrating scareware operations to 

93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 

188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS 

Hetzner Online AG RZ) - ISPs have been notified. 

The .info scareware domain portfolio will be suspended 
within the next 24 hours. 

[19]Ali Baba and the 40 thieves LLC a.k.a [20]my Ukrainian 
"fan club", the one with the [21]Bahama botnet connection, 
the [22]recent malvertising attacks connection, and the 
current market leader of [23]black hat search engine 
optimization campaigns, has been keeping themselves busy 
over the past couple of weeks, continuing to 

add additional layers of legitimacy into their campaigns 
(bit.ly redirectors to blogspot.com accounts leading to 
compromised hosts), proving that if a cybercrime 
enterprise wants to, it can run its malicious operations on 
the shoulders of legitimate service providers using them as 
"virtual human shield" in order to continue its operations 
without fear of retribution. 

• Go through [24]Koobface Botnet's Scareware Business 
Model - Part One 

Over the past two weeks, the Koobface gang once again 
indicated that it reads my blog, "appreciates" the ways I 
undermine the monetization element of their campaigns, 



and next to [25]redirecting Facebook's entire IP space to my 
blog, they've also, for the first time ever, [26]moved from 
using my name in their redirectors, to typosquatting it. 
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For instance, the - now suspended - Koobface domain 
pancho-2807 .com is registered to Pancho Panchev, 

pancho.panchev@gmail.com, followed by rdr20090924 
.info registered to Vancho Vanchev, 
vanchovanchev@mail.ru. 

As always, I'm totally flattered, and I'm still in a "stay tuned" 
mode for my very own branded scareware release - the 

Advanced Pro-Danchev Premium Live Mega 
Professional Anti-Spyware Online Cleaning Cyber 
Protection Scanner 

2010 . 

It's time to summarize some of the Koobface gang's recent 
activities, establish a direct connection with the 

Bahama botnet, the [27]Ukrainian dating scam agency 
[28]Confidential Connections whose [29]botnet operations 

were linked to money-mule recruitment scams, with active 
domains part of their affiliate network parked at a 

Koobface-connected scareware serving domains, followed by 
the fact that they're all responding to an IP involved in the 
ongoing U.S Federal Forms themed blackhat SEO campaign. 
It couldn't get any uglier. 
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As of recently the gang has migrated to a triple-layer of 
legitimate infrastructure, consisting of bit.ly redirectors, 
leading to automatically registered Blogspot account which 
redirect to Koobface infected hosts serving the Koobface 
binary and the redirecting to a periodically updated 
scareware domain. Here are some of the domains involved. 

Ongoing campaing dynamically generating bit.ly URLs 
redirecting to automatically registered Blogspot accounts, 

using the following URLs: 

bit.ly /VumFK -> drbryanferazzoli .blogspot.com 

bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 

bit.ly /2Pnn8l -> pattyedevero .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 

bit.ly /lHDmbm -> malinegainey-green. 
blogspot.com 

bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 
bit.ly/46pcCI -> paulangelogaetano .blogspot.com 



bit.ly /lHDmbm -> malinegainey-green 
.blogspot.com 

bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 
bit.ly/2h7XRU -> shunnarahamandla .blogspot.com 
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /3Zj98G -> schubachmarquis .blogspot.com 
bit.ly/lsXgRH -> nicnicmiralles .blogspot.com 
bit.ly /3eijza -> froneksaxxon .blogspot.com 
bit.ly /H3rr7 -> attreechappy .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /30wc|n -> raheelanucci .blogspot.com 
bit.ly/2U7jYM -> orvelorvelblues .blogspot.com 
bit.ly/1CWOIZ -> kondrackinehemias .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly/IqbXsi -> lizzamottymotty .blogspot.com 
bit.ly /790Nz -> rayvongonsalves .blogspot.com 
bit.ly/22Jyex -> klaartjebjorgvinsson .blogspot.com 
bit.ly /p07jC -> humphriesteelateela .blogspot.com 
bit.ly /2lpZXx -> kalandraaleisha .blogspot.com 



The Blogspot accounts consist of a single post of 
automatically syndicated news item, which compared to 
pre¬ 
vious campaign which relied on 25 + Koobface infected IPs 
directly embedded at Blogspot itself, this time relies on a 
single URL which attempts to connect to any of the 
Koobface infected IPs embedded on it. The currently active 
campaign redirects to rainbowlike cn/?pid=312s02 
&sid=4dbl2f, which then redirects to [30]the scareware 
domain secure-your-files .com, with the sample phoning 
back to forbes-2009 .com/?b=lsl - 113.105.152.230, 
with another domain parked there activate-antivirus 
.com - Email: support@personal-solutions.com. 

Time to expose the entire portfolio of scareware domains 
pushed by the gang, and offer some historical OS- 

INT data on their activities which were not publicly released 
until enough connections between multiple campaigns were 
established.Which ISPs are currently offering hosting 
services for the scareware domains portfolio [31]pushed by 
the [32]Koobface gang? 

The current portfolio is parked at [33]206.217.201.245 
(AS36351 [34]SOFTLAYER 

Technologies Inc. surprise, surprise!); [35]212.117.174.19 
(AS44042 ROOT eSolutions surprise, surprise part two) and 
at [36]91.212.226.155 (AS44042 [37]ROOT eSolutions). 
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Scareware redirectors parked at 91.213.126.102: 


rainbowlike .cn - Email: HuiYingTsui@airways.au 

authorized-payments .com - Email: 
degrysemario@googlemail.com 

poltergeist2000 .cn - Email: nfrank@flamcon.com.cn 
sestiad2 .cn - Email: PietroToscani@celli.it 
uninformed2 .cn - Email: PietroToscani@celli.it 
retrocession2 .cn - Email: PietroToscani@celli.it 
unimpressible3 .cn - Email: PietroToscani@celli.it 
uncrown3 .cn - Email: PietroToscani@celli.it 
sneak-peak .cn - Email: info@Milwaukee911.com 
cellostuck .cn - Email: info@Milwaukee911.com 
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stinkingthink .cn - Email: nfrank@flamcon.com.cn 
skewercall .cn - Email: HuiYingTsui@airways.au 
be-spoken .cn - Email: info@Milwaukee911.com 
transmitteron .cn - Email: nfrank@flamcon.com.cn 
kangaroocar .cn - Email: HuiYingTsui@airways.au 
pericallis .cn - Email: HuiYingTsui@airways.au 
exponentials .cn - Email: info@Milwaukee911.com 
triforms .cn - Email: info@Milwaukee911.com 



outperformoly .cn - Email: nfrank@flamcon.com.cn 

genusbiz .cn - Email: HuiYingTsui@airways.au 

Scareware domains parked at 206.217.201.245; 
212.117.174.19 and 91.212.226.155: 

anti-malware-scan-for-you .com - Email: 
information@brunter.sw 

available-scanner .com - Email: m.smith@Recruiters.com 

bewareof spy ware .com - Email: m.smith@Recruiters.com 

defender-scan-for-you .com - Email: 
information@brunter.sw 

defender-scan-for-you3 .com - Email: 
informatio@belize.ca 

foryoumalwarecheck .com - Email: 
information@brunter.sw 

friends-protection .com - Email: 
m.smith@Recruiters.com 

further-scan .com - Email: m.smith@Recruiters.com 
goodonlineprotection .com - Email: info@time.co.uk 
good-scans .com - Email: m.smith@Recruiters.com 
guidetosecurity3 .com - Email: info@time.co.uk 
howtocleanpc2 .com - Email: admin@gnar-star.com 
howtoprotectpc3 .com - Email: admin@gnar-star.com 



howtosecure2 .com - Email: admin@gnar-star.com 
howtosecurea .com - Email: admin@gnar-star.com 
how-to-secure-pc2 .com - Email: admin@gnar-star.com 

protection-secrets .com - Email: info@time.co.uk 
scan-for-you .com - Email: information@brunter.sw 

scannerantimalware2 .com 
scannerantimalware4 .com 
scannerantimalware6 .com 

secure-your-dataO .com - Email: spradlin@carrental.com 

secure-your-files .com - Email: spradlin@carrental.com 

security-guide5 .com - Email: 
JohnnySMcmillan@yahoo.com 

security-infol .com - Email: 
JohnnySMcmillan@yahoo.com 

security-tips3 .com - Email: info@time.co.uk 

security-tools4 .com - Email: 
JohnnySMcmillan@yahoo.com 

webviruscheckl .com 

webviruscheck-4 .com 


webviruscheck5 .com 



Let us further expand the portfolio by listing the newly 
introduced scareware domains at [38]91.212.107.103, 

which was first mentioned in part one of the [39]Koobface 
Botnet's Scareware Business Model as a centralized 

hosting location for the gang's portfolio. 
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Scareware domains parked at 91.212.107.103: 
g-antivirus .com - Email: mhbilate@gmail.com 
generalantivirus com - Email: compalso@gmail.com 
general-antivirus .com - Email: abuse@domaincp.net.cn 
general-av .com - Email: mhbilate@gmail.com 
generalavs .com - Email: mhbilate@gmail.com 
gobackscan .com - Email: alcnafuch@gmail.com 
gobarscan .com - Email: jowimpee@gmail.com 
godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godoerscan .com - Email: geofishe@gmail.com 
goeachscan .com - Email: momorule@gmail.com 
goeasescan .com - Email: geofishe@gmail.com 
gofatescan .com - Email: alcnafuch@gmail.com 


gofowlscan .com - Email: stinfins@gmail.com 
gohandscan .com - Email: quetotator@gmail.com 
goherdscan .com - Email: jowimpee@gmail.com 
goironscan. com - Email: aloxier@gmail.com 
gojestscan. com - Email: jowimpee@gmail.com 
golimpscan. com - Email: stinfins@gmail.com 
golookscan. com - Email: stinfins@gmail.com 
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gomendscan. com - Email: gleyersth@gmail.com 
gomutescan. com - Email: momorule@gmail.com 
gonamescan. com - Email: geofishe@gmail.com 
goneatscan .com - Email: momorule@gmail.com 
gopickscan. com - Email: momorule@gmail.com 
gorestscan. com - Email: quetotator@gmail.com 
goroomscan. com - Email: gleyersth@gmail.com 
gosakescan. com - Email: stinfins@gmail.com 
goscanadd. com - Email: momorule@gmail.com 
goscanback .com - Email: alcnafuch@gmail.com 
goscanbar .com - Email: jowimpee@gmail.com 
goscancode .com - Email: geofishe@gmail.com 



goscandeck. com - Email: geofishe@gmail.com 
goscandir. com - Email: crschuma@gmail.com 
goscandoer .com - Email: crschuma@gmail.com 
goscanease. com - Email: crschuma@gmail.com 
goscanfowl. com - Email: stinfins@gmail.com 
goscanhand. com - Email: quetotator@gmail.com 
goscanherd. com - Email: jowimpee@gmail.com 
goscanjest. com - Email: jowimpee@gmail.com 
goscanlike. com - Email: geofishe@gmail.com 
goscanlimp. com - Email: stinfins@gmail.com 
goscanmend .com - Email: gleyersth@gmail.com 
goscanname. com - Email: crschuma@gmail.com 
goscanneat .com - Email: crschuma@gmail.com 
goscanpick. com - Email: crschuma@gmail.com 
goscanref. com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
goscanroom .com - Email: gleyersth@gmail.com 
goscansake. com - Email: stinfins@gmail.com 
goscanslip. com - Email: jowimpee@gmail.com 
goscansole .com - Email: crschuma@gmail.com 
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goscantoil. com - Email: jowimpee@gmail.com 
goscantrio. com - Email: crschuma@gmail.com 
goscanxtra. com - Email: crschuma@gmail.com 
gosolescan. com - Email: geofishe@gmail.com 
gotoilscan. com - Email: jowimpee@gmail.com 
gotrioscan. com - Email: momorule@gmail.com 
gowellscan. com - Email: stinfins@gmail.com 
goxtrascan. com - Email: momorule@gmail.com 
iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
ia-pro .com - Email: abuse@domaincp.net.cn 
iav-pro .com - Email: mcgettel@gmail.com 
in5ch .com - Email: getoony@gmail.com 
in5cs .com - Email: getoony@gmail.com 
in5ct .com - Email: phounkey@gmail.com 
in5id .com - Email: getoony@gmail.com 
in5it .com - Email: phounkey@gmail.com 
in5iv .com - Email: phounkey@gmail.com 


in5st .com - Email: getoony@gmail.com 
inavpro .com - Email: thdunnag@gmail.com 
scanatom6 .com - Email: sckimbro@gmail.com 
windoptimizer .com - Email: wousking@gmail.com 
wopayment .com - Email: broderma@gmail.com 
woptimizer .com - Email: broderma@gmail.com 
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cafropy .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
dotqyuw .cn - Email: spscript@hotmail.com 
dovnaji .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duvaba .cn - Email: spscript@hotmail.com 
duvegy .cn - Email: spscript@hotmail.com 
duwbiec .cn - Email: spscript@hotmail.com 
duxsoez .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 



dyqkuam .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
edoqeg .cn - Email: spscript@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 
epuvyiz .cn - Email: spscript@hotmail.com 
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eqadozu .cn - Email: spscript@hotmail.com 
eqaofed .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
eqayweh .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 


eqoumiv .cn - Email: spscnpt@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
ereuqba .cn - Email: spscript@hotmail.com 
erujale .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
esuteyb .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
keturma .cn - Email: spscript@hotmail.com 
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kevsopi .cn - Email: spscript@hotmail.com 
kijxayt .cn - Email: spscript@hotmail.com 
kiluxso .cn - Email: spscript@hotmail.com 
kipuxo .cn - Email: spscript@hotmail.com 
kirdabe .cn - Email: spscript@hotmail.com 


kiwraux .cn - Email: spscript@hotmail.com 
kixyhce .cn - Email: spscript@hotmail.com 
adjudg .info - Email: deciable@gmail.com 
afront .info - Email: calexing@gmail.com 
anprun .info - Email: deciable@gmail.com 
apalet .info - Email: deciable@gmail.com 
argier .info - Email: stthatch@gmail.com 
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asbro .info - Email: recuscon@gmail.com 
atquit .info - Email: recuscon@gmail.com 
atwain .info - Email: deciable@gmail.com 
bagse .info - Email: calexing@gmail.com 
bedaub .info - Email: jaohra@gmail.com 
bedrid .info - Email: magoetzim@gmail.com 
beeves .info - Email: piproux@gmail.com 
besort .info - Email: jaohra@gmail.com 
bettev .info - Email: recuscon@gmail.com 
bettre .info - Email: phvandiv@gmail.com 
birnam .info - Email: jaohra@gmail.com 
botled .info - Email: deciable@gmail.com 



brawns .info - Email: calexing@gmail.com 
brisky .info - Email: recuscon@gmail.com 
camlet .info - Email: enomman@gmail.com 
caretz .info - Email: piproux@gmail.com 
cheir .info - Email: jaohra@gmail.com 
cuique .info - Email: calexing@gmail.com 
daphni .info - Email: calexing@gmail.com 
deble .info - Email: bebrashe@gmail.com 
debuty .info - Email: stthatch@gmail.com 
declin. info - Email: stthatch@gmail.com 
devicel .info - Email:stthatch@gmail.com 
dislik. info - Email: krharbou@gmail.com 
dolchi. info - Email: stthatch@gmail.com 
dolet. info - Email: magoetzim@gmail.com 
dolet. info - Email: magoetzim@gmail.com 
droope .info - Email: deciable@gmail.com 
empery .info - Email: phvandiv@gmail.com 
engirt .info - Email: jaohra@gmail.com 
eratile .info - Email: magoetzim@gmail.com 
erpeer .info - Email: deciable@gmail.com 



evyns. info - Email: magoetzim@gmail.com 
exampl .info - Email: krharbou@gmail.com 
extrip .info - Email: piproux@gmail.com 
fatted .info - Email: stthatch@gmail.com 
fedar. info - Email: phvandiv@gmail.com 
fifthz .info - Email: stthatch@gmail.com 
figgle .info - Email: deciable@gmail.com 
fliht .info - Email: krharbou@gmail.com 
fosset .info - Email: deciable@gmail.com 
freckl .info - Email: stthatch@gmail.com 
freiny. info - Email: krharbou@gmail.com 
froday. info - Email: deciable@gmail.com 
fulier. info - Email: deciable@gmail.com 
gaudad .info - Email: enomman@gmail.com 
gelded, info - Email: stthatch@gmail.com 
gicke .info - Email: magoetzim@gmail.com 
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girded .info - Email: jaohra@gmail.com 
goterm .info - Email: calexing@gmail.com 


guiany. info - Email: krharbou@gmail.com 
haere .info - Email: deciable@gmail.com 
hilloa. info - Email: phvandiv@gmail.com 
holdit. info - Email: stthatch@gmail.com 
hownet .info - Email: stthatch@gmail.com 
ignomy. info - Email: jaohra@gmail.com 
implor. info - Email: jaohra@gmail.com 
inclin. info - Email: grattab@gmail.com 
inquir .info - Email: stthatch@gmail.com 
jorgan .info - Email: bebrashe@gmail.com 
kedder .info - Email: enomman@gmail.com 
knivel .info - Email: deciable@gmail.com 
krapen .info - Email: deciable@gmail.com 
lavolt .info - Email: jaohra@gmail.com 
lavyer .info - Email: bebrashe@gmail.com 
lequel .info - Email: acjspain@gmail.com 
lowatt .info - Email: krharbou@gmail.com 
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meanly.info - Email: krharbou@gmail.com 
meyrie.info - Email: piproux@gmail.com 



midid .info - Email: magoetzim@gmail.com 
miloty .info - Email: stthatch@gmail.com 
mobled .info - Email: magoetzim@gmail.com 
monast. info - Email: phvandiv@gmail.com 
moont. info - Email: magoetzim@gmail.com 
narowz .info - Email: enomman@gmail.com 
nevils .info - Email: stthatch@gmail.com 
nnight .info - Email: piproux@gmail.com 
nroof .info - Email: krharbou@gmail.com 
numben .info - Email: deciable@gmail.com 
obsque .info - Email: jaohra@gmail.com 
octian .info - Email: jaohra@gmail.com 
odest. info - Email: phvandiv@gmail.com 
onclew .info - Email: phvandiv@gmail.com 
orifex .info - Email: krharbou@gmail.com 
orodes .info - Email: deciable@gmail.com 
outliv .info - Email: stthatch@gmail.com 
pante .info - Email: jaohra@gmail.com 
pasio .info - Email: jaohra@gmail.com 
pittie. info - Email: stthatch@gmail.com 



plamet .info - Email: stthatch@gmail.com 
plazec. info - Email: bebrashe@gmail.com 
potinz. info - Email: stthatch@gmail.com 
pplay. info - Email: jaohra@gmail.com 
pretia .info - Email: krharbou@gmail.com 
quoifs. info - Email: enomman@gmail.com 
qward. info - Email: enomman@gmail.com 
raught .info - Email: piproux@gmail.com 
realfly .info - Email: phvandiv@gmail.com 
reglet. info - Email: stthatch@gmail.com 
rogero .info - Email: stthatch@gmail.com 
sallut. info - Email: deciable@gmail.com 
sawme .info - Email: stthatch@gmail.com 
scarre .info - Email: enomman@gmail.com 
scrowl. info - Email: enomman@gmail.com 
sigeia. info - Email: krharbou@gmail.com 
sighal. info - Email: stthatch@gmail.com 
speen. info - Email: enomman@gmail.com 
spelem .info - Email: bebrashe@gmail.com 
spinge. info - Email: krharbou@gmail.com 



squach. info - Email: krharbou@gmail.com 
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stampo. info - Email: enomman@gmail.com 
steepy. info - Email: stthatch@gmail.com 
strawy, info - Email: jaohra@gmail.com 
suivez. info - Email: krharbou@gmail.com 
sundery .info - Email: phvandiv@gmail.com 
surnam. info - Email: krharbou@gmail.com 
swoln. info - Email: acjspain@gmail.com 
swoons .info - Email: enomman@gmail.com 
taulus. info - Email: jaohra@gmail.com 
tenshy. info - Email: stthatch@gmail.com 
tented, info - Email: deciable@gmail.com 
ticedu. info - Email: enomman@gmail.com 
tithed, info - Email: bebrashe@gmail.com 
topful. info - Email: jaohra@gmail.com 
unclin. info - Email: stthatch@gmail.com 
undeaf, info - Email: enomman@gmail.com 
unowed, info - Email: enomman@gmail.com 


unwept, info - Email: stthatch@gmail.com 
usicam. info - Email: stthatch@gmail.com 
vagrom. info - Email: bebrashe@gmail.com 
veldun. info - Email: jaohra@gmail.com 
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vipren. info - Email: calexing@gmail.com 

voided, info - Email: krharbou@gmail.com 

volsce. info - Email: krharbou@gmail.com 

washy, info - Email: phvandiv@gmail.com 

wincot. info - Email: enomman@gmail.com 

wiving, info - Email: enomman@gmail.com 

wooer, info - Email: jaohra@gmail.com 

xonker. info - Email: jaohra@gmail.com 

Historical OSINT of Koobface scareware activity over 
a period of two weeks 

The following is a snapshot of Koobface scareware activity 
during the last two weeks, establishing a direct connection 
between the Koobface botnet, the ongoing blackhat SEO 
campaigns, the Bahama botnet with scareware samples 

modifying HOSTS files, and an Ukrainian dating scam 
agency where the gang appears to be part of an affiliate 
network. 



Scareware samples pushed by Koobface, with associated 
detection rates: 

[40] mexcleaner .in - Email: niclas@i.ua 

[41] safetyscantool .com - 62.90.136.237 - Email: 
Suzanne.R.Muniz@trashymail.com 

[42] stabilitytoolsonline .com - Email: 
Brent.l.Purnell@pookmail.com 

[43] securitytestnetonline .com - 62.90.136.237 - Email 
Dianne.T.Whitley@pookmail.com 

[44] securityprogramguide .com - Email: 
Kiyoko.T.Johnson@mailinator.com 

[45] cheapsecurityscan .com - Email: 
Kevin.L.Linkous@trashymail.com 

[46] securitycheckwest .com; webbiztest .com - Email 
Ruthie.R.Wilcox@mailinator.com 

[47] securitycodereviews .com - 62.90.136.237 - Email: 
Darwin.L.Mcgowan@trashymail.com 

[48] netmedtest .com - 62.90.136.237 - Email: 
lrene.D.Snow@trashymail.com 

[49] toolsdirectnow .com - Email: 
Frank.J.Bullard@trashymail.com 

(ratspywawe .in; wqdefender .in; pivocleaner .in; 
mexcleaner .in; sapesoft .in; alsoft .in; samosoft .in; 
jastaspy 

.in; lastspy .in; felupdate .info; inkoclear .info; 
drlcleaner .info; tiposoft .info; fkupd .eu; piremover 



.eu; igsoft .eu; sersoft .eu) - [50]detection [51]rate 
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Download locations of the actual scareware binary used over 
the past two weeks: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 

6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail.com 

6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 


mt3pvkfmpi7de .cn - Email: 
robertsimonkroon@gmail.com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com 
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 
744 


£ 


p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: 
robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail.com 

od32qjx6meqos .cn - Email: 
robertsimonkroon@gmail.com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

What's the deal with the historical OSINT and why wasn't 
this data communicated right away? 


Keep read¬ 
ing. 

The Bahama Botnet Connection 

During September, the folks at ClickForensics made an 
interesting observation regarding [52]my Ukrainian "fan 
club" and the ad revenue stealing/click-fraud committing 
botnet Bahama - some of the scareware samples were 

[53]modifying the HOSTS file and presenting the victim with 
M [54]one of those cybecrime-friendly search engines" 

stealing revenue in the process. 

Once the connection was also established by me at a later 
stage, data released in regard to [55]the New York 
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Times malvertising attack once again revealed a connection 
between all campaigns - the very same domains used to 
serve the scareware, were also used in a blackhat SEO 
campaign which I analyzed a week before the incident took 
place. Basically, the [56]scareware pushed by the Koobface 
botnet, as well as the scareware pushed by the blackhat 
SEO campaigns maintained by the gangs is among the 
several propagation approaches used for the DNS records 

poisoning to take place: 

" However, in the case of the Bahama Botnet, this DNS 
translation method gets corrupted. The Bahama botnet 
malware causes the infected computer to mistranslate a 
domain name. Instead of translating "Google.com" as 


74 . 125 . 155 . 99 , an infected computer will translate it as 
64 . 86 . 17 . 56 . That number doesn't represent any computer 
owned by Google. Instead, it represents a computer located 
in Canada. When a user with an infected machine 

performs a search on what they think is google.com, the 
query actually goes to the Canadian computer, which pulls 
real search results directly from Google, fiddles with them a 
bit, and displays them to the searcher. 

Now the searcher is looking at a page that looks exactly like 
the Google search results page, but it's not. A dick on the 
apparently " organic" results will redirect as a paid dick 
through several ad networks or parked domains — some 
comp licit, some not. Regardless, cost per click (CPC) fees 
are generated, advertisers pay, and dick fraud has 
occurred. " 
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The 64 . 86 . 17.56 mentioned is actually [57]AS30407 
(Velcom), which has also been used in [58]recent 
campaigns. 

ISP and domain registrars have been notified, action should 
be taken shortly. What was particularly interesting to 
observe was scareware pushed by the Koobface botnet 
phoning back to its well known urodinam 
.net/8732489273.php domain, was also modifying the 
HOSTS file in the following way. Sample HOSTS modification 
of scareware (MD5: 

OxOFBF 1A9F8E6E305138151440DA58B4F1) pushed by 
Koobface: 


89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 

89.149.210.109 www.google.it 

89.149.210.109 www.google.es 

89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.nl 

89.149.210.109 www.google.co.za 

89.149.210.109 www.google.be 

89.149.210.109 www.google.gr 

89.149.210.109 www.google.at 

89.149.210.109 www.google.se 

89.149.210.109 www.google.ch 

89.149.210.109 www.google.pt 

89.149.210.109 www.google.dk 



89.149.210.109 www.google.fi 

89.149.210.109 www.google.ie 

89.149.210.109 www.google.no 

89.149.210.109 search.yahoo.com 

89.149.210.109 us.search.yahoo, com 

89.149.210.109 uk.search.yahoo, com 
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Sample HOSTS modification of scareware (MD5: 

OxOFBF 1A9F8E6E305138151440DA58B4F1) pushed by 
blackhat SEO: 

74.125.45.100 4-open-da vinci. com 

74.125.45.100 securitysoftwarepayments. com 

74.125.45.100 privatesecuredpayments.com 

74.125.45.100 secure.privatesecuredpayments.com 

74.125.45.100 getantivirusplusnow.com 

74.125.45.100 secure-plus-payments, com 

74.125.45.100 www.getantivirusplusnow.com 

74.125.45.100 www.secure-plus-payments. com 

74.125.45.100 www. geta vplusno w. com 

74.125.45.100 www. securesoftwarebill. com 

74.125.45.100 secure.paysecuresystem. com 



74.125.45.100 paysoftbillsolution. com 

64.86.16.97 google.ae 

64.86.16.97 google, as 

64.86.16.97 google.at 

64.86.16.97 google.az 

64.86.16.97 google.ba 

64.86.16.97 google.be 

64.86.16.97 google.bg 

64.86.16.97 google.bs 

64.86.16.97 google.ca 

64.86.16.97 google.cd 

64.86.16.97 google, com.gh 

64.86.16.97 google, com.hk 

64.86.16.97 google.com.jm 

64.86.16.97 google, com. mx 

64.86.16.97 google.com.my 

64.86.16.97 google.com.na 

64.86.16.97 google.com. nf 

64.86.16.97 google.com. ng 

64.86.16.97 google, ch 



64.86.16.97 google.com.np 

64.86.16.97 google.com.pr 

64.86.16.97 google, com. qa 

64.86.16.97 google.com.sg 

64.86.16.97 google, com. tj 

64.86.16.97 google.com. tw 

64.86.16.97 google.dj 

64.86.16.97 google.de 

64.86.16.97 google.dk 

64.86.16.97 google, dm 

64.86.16.97 google.ee 
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64.86.16.97 google.fi 

64.86.16.97 google, fm 

64.86.16.97 google.fr 

64.86.16.97 google.ge 

64.86.16.97 google.gg 

64.86.16.97 google.gm 

64.86.16.97 google.gr 


64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 
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64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 


google, ht 
google, ie 
google, im 
google, in 
google.it 
google, ki 
google. I a 
google. I i 
google.lv 
google, ma 
google, ms 
google, mu 
google.mw 

google.nl 
google.no 
google, nr 
google, nu 
google.pl 


97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 


64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 
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64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 

64 . 86 . 

16 . 


google.pn 

google.pt 

google.ro 

google.ru 

google, rw 

google, sc 

google.se 

google.sh 

google, si 

google.sm 

google.sn 

google, st 
google, tl 
google, tm 
google, tt 
google, us 
google, vu 
google, ws 


97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 


64.86.16.97 google.co.ck 

64.86.16.97 google.co.id 

64.86.16.97 google.co.il 

64.86.16.97 google.co.in 

64.86.16.97 google.co.jp 

64.86.16.97 google.co.kr 

64.86.16.97 google, co.Is 

64.86.16.97 google.co.ma 
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64.86.16.97 google.co.nz 

64.86.16.97 google.co.tz 

64.86.16.97 google, co. ug 

64.86.16.97 google, co. uk 

64.86.16.97 google.co.za 

64.86.16.97 google.co.zm 

64.86.16.97 google.com 

The historical OSINT paragraph mentioned that several of 

the scareware domains pushed during the past two 
weeks were responding to 62.90.136.237, This very 
same 62.90.136.207 IP was hosting domains part of an 
[59]Ukrainian dating scam agency known as 


[60]Confidential Connections earlier this year, whose 
spamming operations were 

linked to a [61]botnet involved in money mule recruitment 
activities. 

For the time being, the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaclick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe- 
mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 
752 


£ 


romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 


love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 
Appreciate my thetoric. 

The same email 

(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also used to register ex¬ 
ploit serving domains at 195.88.190.247, [62]participate 
in phishing campaigns, and register a [63]money mule 
recruitment site for the non-existent [64]AIIied Insurance 
LLC. (Allied Group, Inc.). 

Now that's a multi-tasking underground enterprise, isn't it? 
The ISPs have been notified, domains suspension 

is pending. 

Related posts: 

[65] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[66] New Koobface campaign spoofs Adobe's Flash updater 
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[67] Social engineering tactics of the Koobface botnet 

[68] Koobface Botnet Dissected in a TrendMicro Report 

[69] Koobface Botnet's Scareware Business Model 

[70] Movement on the Koobface Front - Part Two 



[71] Movement on the Koobface Front 

[72] Koobface - Come Out, Come Out, Wherever You Are 

[73] Dissecting Koobface Worm's Twitter Campaign 

[74] Dissecting the Koobface Worm's December Campaign 

[75] Dissecting the Latest Koobface Facebook Campaign 

[76] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [77]Dancho Danchev's 
blog. 
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Koobface Botnet's Scareware Business Model - Part 
Two (2009-11-11 19:03) 

UPDATED - Wednesday, November 18, 2009: A [l]new 
update is pushed to the hundreds of thousands infected 

hosts, which is now performing the redirection using 
dynamically generated .swf files, with every page using the 
same title "Wonderful Video". The redirection is also a 
relatively static process. 

For instance, if the original koobface redirector is 

koobface.infected.host/301, followed by the .swf 


























redirection it will output koobface.infected.host/301/? 
go. 

New redirectors and scareware domains pushed within the 
past few hours include - everlastmovie .cn - Email: 
gmk2000@yahoo.com; smile-life .cn - Email: 
gmk2000@yahoo.com ; harry-pott .cn - Email: 
gmk2000@yahoo.com, 

[2] beprotected9 .com - Email: essi@calinsella.eu and 

[3] antivir3 .com - Email: essi@calinsella.eu. 

UPDATED - Tuesday, November 17, 2009: Koobface is 
[presuming scareware (Inst_312s2.exe) operations at 

[5]91.212.107.103 which was taken offline for a short period 
of time. ISP has been notified again, action should be taken 
shortly. The current domain portfolio including new ones 
parked there: 

ereuqba .cn - Email: spscript@hotmail.com 
eqoxyda .cn - Email: spscript@hotmail.com 
evouga .cn - Email: spscript@hotmail.com 
edivuka .cn - Email: spscript@hotmail.com 
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ebeama .cn - Email: spscript@hotmail.com 
kebugac .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
kixyhce .cn - Email: spscript@hotmail.com 



cecyde .cn - Email: spscript@hotmail.com 
evybine .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
byzivte .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
cafgouh .cn - Email: spscript@hotmail.com 
kebfoki .cn - Email: spscript@hotmail.com 
ebogumi .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dusyti .cn - Email: spscript@hotmail.com 
dutsyvi .cn - Email: spscript@hotmail.com 
dutfij .cn - Email: spscript@hotmail.com 
bysivak .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 
cecxoyk .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
edamym .cn - Email: spscript@hotmail.com 



eqibuym .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
cerdiko .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etywuq .cn - Email: spscript@hotmail.com 
ebejar .cn - Email: spscript@hotmail.com 
ebiuhas .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
eqoybu .cn - Email: spscript@hotmail.com 
eviyzru .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
eboezu .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscript@hotmail.com 



epuneyv .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
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cafropy .cn - Email: spscript@hotmail.com 

etyupy .cn - Email: spscript@hotmail.com 

kebquty .cn - Email: spscript@hotmail.com 

cakevy .cn - Email: spscript@hotmail.com 

eqouwy .cn - Email: spscript@hotmail.com 

epuvyiz .cn - Email: spscript@hotmail.com 

UPDATED - Monday, November 16, 2009: The Koobface 
gang is pushing [6]a new update, followed by a new 

portfolio of scareware redirectors and actual scareware 
serving domains. 

New portfolio of redirectors parked at [7]91.213.126.250: 
befree2 .cn - Email: gmk2000@yahoo.com 
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
moored2009 .cn - Email: cael@newstile.it 



pica-pica .cn - Email: cael@newstile.it 
stroboscopicmovie .cn - Email: cael@newstile.it 
comedienne .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
furorcorner .cn - Email: cael@newstile.it 
ionisationtools .cn - Email: guzimi@brendymail.de 
wax-max .cn - Email: cael@newstile.it 
plate-tracery .cn - Email: guzimi@brendymail.de 
little-bitty .cn - Email: admin@calen.be 
night-whale .cn - Email: admin@calen.be 
scary-scary .cn - Email: gmk2000@yahoo.com 
Second redirectors portfolio at [8]91.213.126.102: 
disorganizationOOO .cn - Email: guzimi@brendymail.de 
rainbowlike .cn - Email: HuiYingTsui@airways.au 
skewercall .cn - Email: HuiYingTsui@airways.au 
wegenerinfo .cn - Email: guzimi@brendymail.de 
kangaroocar .cn - Email: HuiYingTsui@airways.au 
pericallis .cn - Email: HuiYingTsui@airways.au 
treasure-planet .cn - Email: guzimi@brendymail.de 
genusbiz .cn - Email: HuiYingTsui@airways.au 



Currently [9]pushing scareware from primescanl .com - 
[10]83.133.124.149; [11]91.213.126.103; 

[12] 83.133.119.84; 

[13] 85.12.24.13. [14]Sampled scareware phones [15]back 

to windowsupdate8 .com/download/timesroman.tif - 

88.198.105.145 and angle-meter .com/?b=l 
(safewebnetwork .com) - 92.48.119.36. 

More scareware domains are parked on the same IPs: 

yourantivira7 .com - Email: j.wirth@smsdetective.com - 

[16] detection rate 

web-scanm .com - Email: essi@calinsella.eu - 

[17] detection rate 

yourantivira3 .com (wwwsecurescanal .com) - Email 
j.wirth@smsdetective.com 

primescan8 .com 

online-check-vll .com 

antivir-scanl .com - Email: contact@armadastate.us 
antispy-scanl .com - Email: contact@armadastate.us 

primescanl .com 
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checkforspyware2 .com - Email: admin@calen.be 
pc-antispyware3 .com - Email: contact@spaintours.com 



premium-protection6 .com - Email: 
contact@spaintours.com 

antivir7 .com - Email: admin@maternitycloth.eu 

online-check-v7 .com 

beprotected8 .com - Email: admin@maternitycloth.eu 
pc-antispyware9 .com - Email: contact@spaintours.com 

online-check-v9 .com 

checkfileshere .com - Email: admin@calen.be 

scanfileshere .com - Email: admin@calen.be 

antivir-scano .com - Email: contact@armadastate.us 

check-files-now .com - Email: admin@calen.be 

antivir-scanz .com - Email: contact@armadastate.us 

antispy-scanz .com - Email: contact@armadastate.us 

ISP's contributing the the monetization of Koobface have 
been notified. 

UPDATE: 91.212.107.103 has been taken offline courtesy 
of Blue Square Data Group Services Limited - [18]previous 
cooperation took place within a 3 hour period - with the 
Koobface gang migrating scareware operations to 

93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 

188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS 

Hetzner Online AG RZ) - ISPs have been notified. 



The .info scareware domain portfolio will be suspended 
within the next 24 hours. 

[19]Ali Baba and the 40 thieves LLC a.k.a [20]my Ukrainian 
"fan club", the one with the [21]Bahama botnet connection, 
the [22]recent malvertising attacks connection, and the 
current market leader of [23]black hat search engine 
optimization campaigns, has been keeping themselves busy 
over the past couple of weeks, continuing to 

add additional layers of legitimacy into their campaigns 
(bit.ly redirectors to blogspot.com accounts leading to 
compromised hosts), proving that if a cybercrime 
enterprise wants to, it can run its malicious operations on 
the shoulders of legitimate service providers using them as 
"virtual human shield" in order to continue its operations 
without fear of retribution. 

• Go through [24]Koobface Botnet's Scareware Business 
Model - Part One 

Over the past two weeks, the Koobface gang once again 
indicated that it reads my blog, "appreciates" the ways I 
undermine the monetization element of their campaigns, 
and next to [25]redirecting Facebook's entire IP space to my 
blog, they've also, for the first time ever, [26]moved from 
using my name in their redirectors, to typosquatting it. 
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For instance, the - now suspended - Koobface domain 
pancho-2807 .com is registered to Pancho Panchev, 

pancho.panchev@gmail.com, followed by rdr20090924 


.info registered to Vancho Vanchev, 

vanchovanchev@mail.ru. 

As always, I'm totally flattered, and I'm still in a "stay tuned" 
mode for my very own branded scareware release - the 

Advanced Pro-Danchev Premium Live Mega 
Professional Anti-Spyware Online Cleaning Cyber 
Protection Scanner 

2010 . 

It's time to summarize some of the Koobface gang's recent 
activities, establish a direct connection with the 

Bahama botnet, the [27]Ukrainian dating scam agency 
[28]Confidential Connections whose [29]botnet operations 

were linked to money-mule recruitment scams, with active 
domains part of their affiliate network parked at a 

Koobface-connected scareware serving domains, followed by 
the fact that they're all responding to an IP involved in the 
ongoing U.S Federal Forms themed blackhat SEO campaign. 
It couldn't get any uglier. 
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As of recently the gang has migrated to a triple-layer of 
legitimate infrastructure, consisting of bit.ly redirectors, 
leading to automatically registered Blogspot account which 
redirect to Koobface infected hosts serving the Koobface 
binary and the redirecting to a periodically updated 
scareware domain. Flere are some of the domains involved. 

Ongoing campaing dynamically generating bit.ly URLs 
redirecting to automatically registered Blogspot accounts, 



using the following URLs: 

bit.ly /VumFK -> drbryanferazzoli .blogspot.com 

bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 

bit.ly /2Pnn8l -> pattyedevero .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 

bit.ly/lHDmbm -> malinegainey-green. 
blogspot.com 

bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 

bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 

bit.ly/46pcCI -> paulangelogaetano .blogspot.com 

bit.ly /lHDmbm -> malinegainey-green 
.blogspot.com 

bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 
bit.ly/2h7XRU -> shunnarahamandla .blogspot.com 
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /3Zj98G -> schubachmarquis .blogspot.com 
bit.ly/lsXgRH -> nicnicmiralles .blogspot.com 



bit.ly /3eijza -> froneksaxxon .blogspot.com 
bit.ly/H3rr7 -> attreechappy .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /30wc|n -> raheelanucci .blogspot.com 
bit.ly/2U7jYM -> orvelorvelblues .blogspot.com 
bit.ly/1CWOIZ -> kondrackinehemias .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly/IqbXsi -> lizzamottymotty .blogspot.com 
bit.ly/790Nz -> rayvongonsalves .blogspot.com 
bit.ly/22Jyex -> klaartjebjorgvinsson .blogspot.com 
bit.ly/p07jC -> humphriesteelateela .blogspot.com 
bit.ly /2lpZXx -> kalandraaleisha .blogspot.com 

The Blogspot accounts consist of a single post of 
automatically syndicated news item, which compared to 
pre¬ 
vious campaign which relied on 25+ Koobface infected IPs 
directly embedded at Blogspot itself, this time relies on a 
single URL which attempts to connect to any of the 
Koobface infected IPs embedded on it. The currently active 
campaign redirects to rainbowlike cn/?pid=312s02 
&sid=4dbl2f, which then redirects to [30]the scareware 
domain secure-your-files .com, with the sample phoning 
back to forbes-2009 .com/?b=lsl - 113.105.152.230, 
with another domain parked there activate-antivirus 
.com - Email: support@personal-solutions.com. 



Time to expose the entire portfolio of scareware domains 
pushed by the gang, and offer some historical OS- 

INT data on their activities which were not publicly released 
until enough connections between multiple campaigns were 
established.Which ISPs are currently offering hosting 
services for the scareware domains portfolio [31]pushed by 
the [32]Koobface gang? 

The current portfolio is parked at [33]206.217.201.245 
(AS36351 [34]SOFTLAYER 

Technologies Inc. surprise, surprise!); [35]212.117.174.19 
(AS44042 ROOT eSolutions surprise, surprise part two) and 
at [36]91.212.226.155 (AS44042 [37]ROOT eSolutions). 
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Scareware redirectors parked at 91.213.126.102: 

rainbowlike .cn - Email: HuiYingTsui@airways.au 

authorized-payments .com - Email: 
degrysemario@googlemail.com 

poltergeist2000 .cn - Email: nfrank@flamcon.com.cn 
sestiad2 .cn - Email: PietroToscani@celli.it 
uninformed2 .cn - Email: PietroToscani@celli.it 
retrocession2 .cn - Email: PietroToscani@celli.it 
unimpressible3 .cn - Email: PietroToscani@celli.it 
uncrown3 .cn - Email: PietroToscani@celli.it 


sneak-peak .cn - Email: info@MiIwaukee911.com 
cellostuck .cn - Email: info@Milwaukee911.com 
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stinkingthink .cn - Email: nfrank@flamcon.com.cn 

skewercall .cn - Email: HuiYingTsui@airways.au 

be-spoken .cn - Email: info@Milwaukee911.com 

transmitteron .cn - Email: nfrank@flamcon.com.cn 

kangaroocar .cn - Email: HuiYingTsui@airways.au 

pericallis .cn - Email: HuiYingTsui@airways.au 

exponentials .cn - Email: info@Milwaukee911.com 

triforms .cn - Email: info@Milwaukee911.com 

outperformoly .cn - Email: nfrank@flamcon.com.cn 

genusbiz .cn - Email: HuiYingTsui@airways.au 

Scareware domains parked at 206.217.201.245; 
212.117.174.19 and 91.212.226.155: 

anti-malware-scan-for-you .com - Email: 
information@brunter.sw 

available-scanner .com - Email: m.smith@Recruiters.com 

bewareof spy ware .com - Email: m.smith@Recruiters.com 

defender-scan-for-you .com - Email: 
information@brunter.sw 



defender-scan-for-you3 .com - Email: 
informatio@belize.ca 

foryoumalwarecheck .com - Email: 
information@brunter.sw 

friends-protection .com - Email: 
m.smith@Recruiters.com 

further-scan .com - Email: m.smith@Recruiters.com 
goodonlineprotection .com - Email: info@time.co.uk 
good-scans .com - Email: m.smith@Recruiters.com 
guidetosecurity3 .com - Email: info@time.co.uk 
howtocleanpc2 .com - Email: admin@gnar-star.com 
howtoprotectpc3 .com - Email: admin@gnar-star.com 
howtosecure2 .com - Email: admin@gnar-star.com 
howtosecurea .com - Email: admin@gnar-star.com 
how-to-secure-pc2 .com - Email: admin@gnar-star.com 
protection-secrets .com - Email: info@time.co.uk 
scan-for-you .com - Email: information@brunter.sw 
scannerantimalware2 .com 
scannerantimalware4 .com 
scannerantimalware6 .com 

secure-your-dataO .com - Email: spradlin@carrental.com 



secure-your-files .com - Email: spradlin@carrental.com 

security-guide5 .com - Email: 
JohnnySMcmillan@yahoo.com 

security-infol .com - Email: 
JohnnySMcmillan@yahoo.com 

security-tips3 .com - Email: info@time.co.uk 

security-tools4 .com - Email: 
JohnnySMcmillan@yahoo.com 

webviruscheckl .com 

webviruscheck-4 .com 

webviruscheck5 .com 

Let us further expand the portfolio by listing the newly 
introduced scareware domains at [38J91.212.107.103, 

which was first mentioned in part one of the [39]Koobface 
Botnet's Scareware Business Model as a centralized 

hosting location for the gang's portfolio. 
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Scareware domains parked at 91.212.107.103: 
g-antivirus .com - Email: mhbilate@gmail.com 
generalantivirus com - Email: compalso@gmail.com 
general-antivirus .com - Email: abuse@domaincp.net.cn 


general-av .com - Email: mhbiIate@gmail.com 
generalavs .com - Email: mhbilate@gmail.com 
gobackscan .com - Email: alcnafuch@gmail.com 
gobarscan .com - Email: jowimpee@gmail.com 
godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godoerscan .com - Email: geofishe@gmail.com 
goeachscan .com - Email: momorule@gmail.com 
goeasescan .com - Email: geofishe@gmail.com 
gofatescan .com - Email: alcnafuch@gmail.com 
gofowlscan .com - Email: stinfins@gmail.com 
gohandscan .com - Email: quetotator@gmail.com 
goherdscan .com - Email: jowimpee@gmail.com 
goironscan. com - Email: aloxier@gmail.com 
gojestscan. com - Email: jowimpee@gmail.com 
golimpscan. com - Email: stinfins@gmail.com 
golookscan. com - Email: stinfins@gmail.com 
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gomendscan. com - Email: gleyersth@gmail.com 
gomutescan. com - Email: momorule@gmail.com 



gonamescan. com - Email: geofishe@gmail.com 
goneatscan .com - Email: momorule@gmail.com 
gopickscan. com - Email: momorule@gmail.com 
gorestscan. com - Email: quetotator@gmail.com 
goroomscan. com - Email: gleyersth@gmail.com 
gosakescan. com - Email: stinfins@gmail.com 
goscanadd. com - Email: momorule@gmail.com 
goscanback .com - Email: alcnafuch@gmail.com 
goscanbar .com - Email: jowimpee@gmail.com 
goscancode .com - Email: geofishe@gmail.com 
goscandeck. com - Email: geofishe@gmail.com 
goscandir. com - Email: crschuma@gmail.com 
goscandoer .com - Email: crschuma@gmail.com 
goscanease. com - Email: crschuma@gmail.com 
goscanfowl. com - Email: stinfins@gmail.com 
goscanhand. com - Email: quetotator@gmail.com 
goscanherd. com - Email: jowimpee@gmail.com 
goscanjest. com - Email: jowimpee@gmail.com 
goscanlike. com - Email: geofishe@gmail.com 
goscanlimp. com - Email: stinfins@gmail.com 



goscanmend .com - Email: gleyersth@gmail.com 
goscanname. com - Email: crschuma@gmail.com 
goscanneat .com - Email: crschuma@gmail.com 
goscanpick. com - Email: crschuma@gmail.com 
goscanref. com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
goscanroom .com - Email: gleyersth@gmail.com 
goscansake. com - Email: stinfins@gmail.com 
goscanslip. com - Email: jowimpee@gmail.com 
goscansole .com - Email: crschuma@gmail.com 
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goscantoil. com - Email: jowimpee@gmail.com 
goscantrio. com - Email: crschuma@gmail.com 
goscanxtra. com - Email: crschuma@gmail.com 
gosolescan. com - Email: geofishe@gmail.com 
gotoilscan. com - Email: jowimpee@gmail.com 
gotrioscan. com - Email: momorule@gmail.com 
gowellscan. com - Email: stinfins@gmail.com 


goxtrascan. com - Email: momorule@gmail.com 
iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
ia-pro .com - Email: abuse@domaincp.net.cn 
iav-pro .com - Email: mcgettel@gmail.com 
in5ch .com - Email: getoony@gmail.com 
in5cs .com - Email: getoony@gmail.com 
in5ct .com - Email: phounkey@gmail.com 
in5id .com - Email: getoony@gmail.com 
in5it .com - Email: phounkey@gmail.com 
in5iv .com - Email: phounkey@gmail.com 
in5st .com - Email: getoony@gmail.com 
inavpro .com - Email: thdunnag@gmail.com 
scanatom6 .com - Email: sckimbro@gmail.com 
windoptimizer .com - Email: wousking@gmail.com 
wopayment .com - Email: broderma@gmail.com 
woptimizer .com - Email: broderma@gmail.com 
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cafropy .cn - Email: spscript@hotmail.com 



cakevy .cn - Email: spscript@hotmail.com 
dotqyuw .cn - Email: spscript@hotmail.com 
dovnaji .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duvaba .cn - Email: spscript@hotmail.com 
duvegy .cn - Email: spscript@hotmail.com 
duwbiec .cn - Email: spscript@hotmail.com 
duxsoez .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
edoqeg .cn - Email: spscript@hotmail.com 



epuneyv .cn - Email: spscript@hotmail.com 
epuvyiz .cn - Email: spscript@hotmail.com 
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eqadozu .cn - Email: spscript@hotmail.com 
eqaofed .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
eqayweh .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
ereuqba .cn - Email: spscript@hotmail.com 
erujale .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
esuteyb .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 


etyawjo .cn - Email 
etykauw .cn - Emai 
evaolux .cn - Email 
evaopsu .cn - Emai 
keturma .cn - Emai 
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kevsopi .cn - Email 
kijxayt .cn - Email: 
kiluxso .cn - Email: 
kipuxo .cn - Email: 
kirdabe .cn - Email 
kiwraux .cn - Email 
kixyhce .cn - Email 
adjudg .info - Emai 
afront .info - Email 
anprun .info - Email 
apalet .info - Email: 
argier .info - Email: 


: spscript@hotmail.com 
I: spscript@hotmail.com 
: spscript@hotmail.com 
I: spscript@hotmail.com 
I: spscript@hotmail.com 

: spscript@hotmail.com 
spscript@hotmail.com 
spscript@hotmail.com 
spscript@hotmail.com 
: spscript@hotmail.com 
: spscript@hotmail.com 
: spscript@hotmail.com 
I: deciable@gmail.com 
: calexing@gmail.com 
: deciable@gmail.com 
deciable@gmail.com 
stthatch@gmail.com 
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asbro .info - Email: recuscon@gmail.com 
atquit .info - Email: recuscon@gmail.com 
atwain .info - Email: deciable@gmail.com 
bagse .info - Email: calexing@gmail.com 
bedaub .info - Email: jaohra@gmail.com 
bedrid .info - Email: magoetzim@gmail.com 
beeves .info - Email: piproux@gmail.com 
besort .info - Email: jaohra@gmail.com 
bettev .info - Email: recuscon@gmail.com 
bettre .info - Email: phvandiv@gmail.com 
birnam .info - Email: jaohra@gmail.com 
botled .info - Email: deciable@gmail.com 
brawns .info - Email: calexing@gmail.com 
brisky .info - Email: recuscon@gmail.com 
camlet .info - Email: enomman@gmail.com 
caretz .info - Email: piproux@gmail.com 
cheir .info - Email: jaohra@gmail.com 
cuique .info - Email: calexing@gmail.com 
daphni .info - Email: calexing@gmail.com 
deble .info - Email: bebrashe@gmail.com 



debuty .info - Email: stthatch@gmail.com 
declin. info - Email: stthatch@gmail.com 
devicel .info - Emaihstthatch@gmail.com 
dislik. info - Email: krharbou@gmail.com 
dolchi. info - Email: stthatch@gmail.com 
dolet. info - Email: magoetzim@gmail.com 
dolet. info - Email: magoetzim@gmail.com 
droope .info - Email: deciable@gmail.com 
empery .info - Email: phvandiv@gmail.com 
engirt .info - Email: jaohra@gmail.com 
eratile .info - Email: magoetzim@gmail.com 
erpeer .info - Email: deciable@gmail.com 
evyns. info - Email: magoetzim@gmail.com 
exampl .info - Email: krharbou@gmail.com 
extrip .info - Email: piproux@gmail.com 
fatted .info - Email: stthatch@gmail.com 
fedar. info - Email: phvandiv@gmail.com 
fifthz .info - Email: stthatch@gmail.com 
figgle .info - Email: deciable@gmail.com 
fliht .info - Email: krharbou@gmail.com 



fosset .info - Email: deciable@gmail.com 
freckl .info - Email: stthatch@gmail.com 
freiny. info - Email: krharbou@gmail.com 
froday. info - Email: deciable@gmail.com 
fulier. info - Email: deciable@gmail.com 
gaudad .info - Email: enomman@gmail.com 
gelded, info - Email: stthatch@gmail.com 
gicke .info - Email: magoetzim@gmail.com 
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girded .info - Email: jaohra@gmail.com 
goterm .info - Email: calexing@gmail.com 
guiany. info - Email: krharbou@gmail.com 
haere .info - Email: deciable@gmail.com 
hilloa. info - Email: phvandiv@gmail.com 
holdit. info - Email: stthatch@gmail.com 
hownet .info - Email: stthatch@gmail.com 
ignomy. info - Email: jaohra@gmail.com 
implor. info - Email: jaohra@gmail.com 
inclin. info - Email: grattab@gmail.com 


inquir .info - Email: stthatch@gmail.com 
jorgan .info - Email: bebrashe@gmail.com 
kedder .info - Email: enomman@gmail.com 
knivel .info - Email: deciable@gmail.com 
krapen .info - Email: deciable@gmail.com 
lavolt .info - Email: jaohra@gmail.com 
lavyer .info - Email: bebrashe@gmail.com 
lequel .info - Email: acjspain@gmail.com 
lowatt .info - Email: krharbou@gmail.com 
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meanly.info - Email: krharbou@gmail.com 
meyrie.info - Email: piproux@gmail.com 
midid .info - Email: magoetzim@gmail.com 
miloty .info - Email: stthatch@gmail.com 
mobled .info - Email: magoetzim@gmail.com 
monast. info - Email: phvandiv@gmail.com 
moont. info - Email: magoetzim@gmail.com 
narowz .info - Email: enomman@gmail.com 
nevils .info - Email: stthatch@gmail.com 
nnight .info - Email: piproux@gmail.com 



nroof .info - Email: krharbou@gmail.com 
numben .info - Email: deciable@gmail.com 
obsque .info - Email: jaohra@gmail.com 
octian .info - Email: jaohra@gmail.com 
odest. info - Email: phvandiv@gmail.com 
onclew .info - Email: phvandiv@gmail.com 
orifex .info - Email: krharbou@gmail.com 
orodes .info - Email: deciable@gmail.com 
outliv .info - Email: stthatch@gmail.com 
pante .info - Email: jaohra@gmail.com 
pasio .info - Email: jaohra@gmail.com 
pittie. info - Email: stthatch@gmail.com 
plamet .info - Email: stthatch@gmail.com 
plazec. info - Email: bebrashe@gmail.com 
potinz. info - Email: stthatch@gmail.com 
pplay. info - Email: jaohra@gmail.com 
pretia .info - Email: krharbou@gmail.com 
quoifs. info - Email: enomman@gmail.com 
qward. info - Email: enomman@gmail.com 
raught .info - Email: piproux@gmail.com 



realfly .info - Email: phvandiv@gmail.com 
reglet. info - Email: stthatch@gmail.com 
rogero .info - Email: stthatch@gmail.com 
sallut. info - Email: deciable@gmail.com 
sawme .info - Email: stthatch@gmail.com 
scarre .info - Email: enomman@gmail.com 
scrowl. info - Email: enomman@gmail.com 
sigeia. info - Email: krharbou@gmail.com 
sighal. info - Email: stthatch@gmail.com 
speen. info - Email: enomman@gmail.com 
spelem .info - Email: bebrashe@gmail.com 
spinge. info - Email: krharbou@gmail.com 
squach. info - Email: krharbou@gmail.com 
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stampo. info - Email: enomman@gmail.com 
steepy. info - Email: stthatch@gmail.com 
strawy, info - Email: jaohra@gmail.com 
suivez. info - Email: krharbou@gmail.com 
sundery .info - Email: phvandiv@gmail.com 


surnam. info - Email: krharbou@gmail.com 
swoln. info - Email: acjspain@gmail.com 
swoons .info - Email: enomman@gmail.com 
taulus. info - Email: jaohra@gmail.com 
tenshy. info - Email: stthatch@gmail.com 
tented, info - Email: deciable@gmail.com 
ticedu. info - Email: enomman@gmail.com 
tithed, info - Email: bebrashe@gmail.com 
topful. info - Email: jaohra@gmail.com 
unclin. info - Email: stthatch@gmail.com 
undeaf, info - Email: enomman@gmail.com 
unowed, info - Email: enomman@gmail.com 
unwept, info - Email: stthatch@gmail.com 
usicam. info - Email: stthatch@gmail.com 
vagrom. info - Email: bebrashe@gmail.com 
veldun. info - Email: jaohra@gmail.com 
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vipren. info - Email: calexing@gmail.com 
voided, info - Email: krharbou@gmail.com 
volsce. info - Email: krharbou@gmail.com 



washy, info - Email: phvandiv@gmail.com 

wincot. info - Email: enomman@gmail.com 

wiving, info - Email: enomman@gmail.com 

wooer, info - Email: jaohra@gmail.com 

xonker. info - Email: jaohra@gmail.com 

Historical OSINT of Koobface scareware activity over 
a period of two weeks 

The following is a snapshot of Koobface scareware activity 
during the last two weeks, establishing a direct connection 
between the Koobface botnet, the ongoing blackhat SEO 
campaigns, the Bahama botnet with scareware samples 

modifying HOSTS files, and an Ukrainian dating scam 
agency where the gang appears to be part of an affiliate 
network. 

Scareware samples pushed by Koobface, with associated 
detection rates: 

[40] mexcleaner .in - Email: niclas@i.ua 

[41] safetyscantool .com - 62.90.136.237 - Email: 
Suzanne.R.Muniz@trashymail.com 

[42] stabilitytoolsonline .com - Email: 
Brent.l.Purnell@pookmail.com 

[43] securitytestnetonline .com - 62.90.136.237 - Email: 
Dianne.T.Whitley@pookmail.com 

[44] securityprogramguide .com - Email: 
Kiyoko.T.Johnson@mailinator.com 



[45] cheapsecurityscan .com - Email: 
Kevin.L.Linkous@trashymail.com 

[46] securitycheckwest .com; webbiztest .com - Email: 
Ruthie.R.Wilcox@mailinator.com 

[47] securitycodereviews .com - 62.90.136.237 - Email: 
Darwin.L.Mcgowan@trashymail.com 

[48] netmedtest .com - 62.90.136.237 - Email: 
lrene.D.Snow@trashymail.com 

[49] toolsdirectnow .com - Email: 
Frank.J.Bullard@trashymail.com 

(ratspywawe .in; wqdefender .in; pivocleaner .in; 
mexcleaner .in; sapesoft .in; alsoft .in; samosoft .in; 
jastaspy 

.in; lastspy .in; felupdate .info; inkoclear .info; 
drlcleaner .info; tiposoft .info; fkupd .eu; piremover 
.eu; igsoft .eu; sersoft .eu) - [50]detection [51]rate 

775 


12 


Download locations of the actual scareware binary used over 
the past two weeks: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 

6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail.com 


6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 

7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 

7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 

kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 

q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 

rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 

tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 

4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 

kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 

hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 

mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: 
robertsimonkroon@gmail.com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 
fyivbrl3b0dyf .cn - Email: robertsimonkroon@gmail.com 
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 
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p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 


gjpwsc5p7oe3m .cn - Email: 
robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail.com 

od32qjx6meqos .cn - Email: 
robertsimonkroon@gmail.com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

What's the deal with the historical OSINT and why wasn't 
this data communicated right away? 

Keep read¬ 
ing. 

The Bahama Botnet Connection 

During September, the folks at ClickForensics made an 
interesting observation regarding [52]my Ukrainian "fan 
club" and the ad revenue stealing/click-fraud committing 
botnet Bahama - some of the scareware samples were 

[53]modifying the HOSTS file and presenting the victim with 
M [54]one of those cybecrime-friendly search engines" 


stealing revenue in the process. 



Once the connection was also established by me at a later 
stage, data released in regard to [55]the New York 
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Times malvertising attack once again revealed a connection 
between all campaigns - the very same domains used to 
serve the scareware, were also used in a blackhat SEO 
campaign which I analyzed a week before the incident took 
place. Basically, the [56]scareware pushed by the Koobface 
botnet, as well as the scareware pushed by the blackhat 
SEO campaigns maintained by the gangs is among the 
several propagation approaches used for the DNS records 

poisoning to take place: 

11 However, in the case of the Bahama Botnet, this DNS 
translation method gets corrupted. The Bahama botnet 
malware causes the infected computer to mistranslate a 
domain name. Instead of translating "Google.com" as 

74 . 125 . 155 . 99 , an infected computer will translate it as 
64 . 86 . 17 . 56 . That number doesn't represent any computer 
owned by Google. Instead, it represents a computer located 
in Canada. When a user with an infected machine 

performs a search on what they think is google.com, the 
query actually goes to the Canadian computer, which pulls 
real search results directly from Google, fiddles with them a 
bit, and displays them to the searcher. 

Now the searcher is looking at a page that looks exactly like 
the Google search results page, but it's not. A dick on the 
apparently "organic" results will redirect as a paid dick 
through several ad networks or parked domains — some 


com piic it, some not. Regardless, cost per dick (CPC) fees 
are generated, advertisers pay, and dick fraud has 
occurred. " 
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The 64 . 86 . 17.56 mentioned is actually [57]AS30407 
(Velcom), which has also been used in [58]recent 
campaigns. 

ISP and domain registrars have been notified, action should 
be taken shortly. What was particularly interesting to 
observe was scareware pushed by the Koobface botnet 
phoning back to its well known urodinam 
.net/8732489273.php domain, was also modifying the 
HOSTS file in the following way. Sample HOSTS modification 
of scareware (MD5: 

OxOFBF 1A9F8E6E305138151440DA58B4F1) pushed by 
Koobface: 

89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 

89.149.210.109 www.google.it 

89.149.210.109 www.google.es 


89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.nl 

89.149.210.109 www.google.co.za 

89.149.210.109 www.google.be 

89.149.210.109 www.google.gr 

89.149.210.109 www.google.at 

89.149.210.109 www.google.se 

89.149.210.109 www.google.ch 

89.149.210.109 www.google.pt 

89.149.210.109 www.google.dk 

89.149.210.109 www.google.fi 

89.149.210.109 www.google.ie 

89.149.210.109 www.google.no 

89.149.210.109 search.yahoo.com 

89.149.210.109 us.search.yahoo, com 

89.149.210.109 uk.search.yahoo, com 
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Sample HOSTS modification of scareware (MD5: 

OxOFBF 1A9F8E6E305138151440DA58B4F1) pushed by 
blackhat SEO: 

74. 125.45.100 4-open-da vinci. com 

74.125.45.100 securitysoftwarepayments. com 

74.125.45.100 privatesecuredpayments.com 

74.125.45.100 secure.privatesecuredpayments. com 

74.125.45.100 getantiviruspiusnow.com 

74.125.45.100 secure-pius-payments. com 

74.125.45.100 www.getantiviruspiusnow.com 

74.125.45.100 www.secure-plus-payments. com 

74.125.45.100 www. geta vplusnow. com 

74.125.45.100 www. securesoftwarebill. com 

74.125.45.100 secure.paysecuresystem. com 

74.125.45.100 paysoftbillsolution. com 

64.86.16.97 google.ae 

64.86.16.97 google.as 

64.86.16.97 google.at 

64.86.16.97 google.az 

64.86.16.97 google.ba 

64.86.16.97 google.be 



64.86.16.97 google.bg 

64.86.16.97 google.bs 

64.86.16.97 google, ca 

64.86.16.97 google, cd 

64.86.16.97 google, com.gh 

64.86.16.97 google, com.hk 

64.86.16.97 google.com.jm 

64.86.16.97 google, com.mx 

64.86.16.97 google.com.my 

64.86.16.97 google.com. na 

64.86.16.97 google.com.nf 

64.86.16.97 google.com.ng 

64.86.16.97 google, ch 

64.86.16.97 google, com.np 

64.86.16.97 google.com.pr 

64.86.16.97 google, com. qa 

64.86.16.97 google.com.sg 

64.86.16.97 google, com. tj 

64.86.16.97 google.com. tw 

64.86.16.97 google.dj 



64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 
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64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 


google.de 
google.dk 
google, dm 
google.ee 

google.fi 
google.fm 
google.fr 
google, ge 
google.gg 
google, gm 
google.gr 
google, ht 
google.ie 
google, im 
google, in 
google.it 
google, ki 
google. I a 
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97 
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97 

97 

97 

97 

97 

97 


64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 
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64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 


google. Ii 
google.lv 
google, ma 
google, ms 
google, mu 
google.mw 

google.nl 
google.no 
google, nr 
google, nu 
google.pl 
google.pn 
google.pt 
google.ro 
google.ru 
google, rw 
google, sc 
google.se 


97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 


64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 
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64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 

64.86. 

16. 


google.sh 
google, si 
google.sm 
google.sn 

google, st 
google, tl 
google, tm 
google, tt 
google, us 
google, vu 
google, ws 
google.co.ck 
google.co.id 
google.co.il 
google.co.in 
google.co.jp 
google, co. kr 
google.co.Is 


97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 

97 


64.86.16.97 google.co.ma 
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64.86.16.97 google.co.nz 

64.86.16.97 google.co.tz 

64.86.16.97 google, co. ug 

64.86.16.97 google, co. uk 

64.86.16.97 google.co.za 

64.86.16.97 google.co.zm 

64.86.16.97 google, com 

The historical OSINT paragraph mentioned that several of 

the scareware domains pushed during the past two 
weeks were responding to 62.90.136.237, This very 
same 62.90.136.207 IP was hosting domains part of an 

[59] Ukrainian dating scam agency known as 

[60] Confidential Connections earlier this year, whose 
spamming operations were 

linked to a [61]botnet involved in money mule recruitment 
activities. 

For the time being, the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 
love-isaclick .com - Email: potenciallio@safe-mail.net 


love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe- 
mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 
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romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 
love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 
Appreciate my thetoric. 

The same email 

(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also used to register ex- 


ploit serving domains at 195.88.190.247, [62]participate 
in phishing campaigns, and register a [63]money mule 
recruitment site for the non-existent [64]AIIied Insurance 
LLC. (Allied Group, Inc.). 

Now that's a multi-tasking underground enterprise, isn't it? 
The ISPs have been notified, domains suspension 

is pending. 

Related posts: 

[65] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 
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[66] New Koobface campaign spoofs Adobe's Flash updater 

[67] Social engineering tactics of the Koobface botnet 

[68] Koobface Botnet Dissected in a TrendMicro Report 

[69] Koobface Botnet's Scareware Business Model 

[70] Movement on the Koobface Front - Part Two 

[71] Movement on the Koobface Front 

[72] Koobface - Come Out, Come Out, Wherever You Are 

[73] Dissecting Koobface Worm's Twitter Campaign 

[74] Dissecting the Koobface Worm's December Campaign 

[75] Dissecting the Latest Koobface Facebook Campaign 

[76] The Koobface Gang Mixing Social Engineering Vectors 



This post has been reproduced from [77]Dancho Danchev's 
blog. 
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Keeping Money Mule Recruiters on a Short Leash 
(2009-11-16 23:09) 

The money mule recruitment syndicate exposed in a 
previous post ([^Standardizing the Money Mule 
Recruitment 

Process), continues introducing new domains and re¬ 
branding the de-facto recruitment templates for a huge 

percentage of the currently active [2]money mule 
recruitment scams. 

Ironically, both the syndicate and its competition in the face 
of boutique money mule recruitment operations 

aiming to self-service the cybercriminal - he doesn't want to 
share stolen revenue with a third-party service provider 

- behind them, are using the copywriting and online brand 
management services courtesy of a single vendor. 
















It's time to expose the complete domains portfolio of one of 
their biggest customers, including both domains 

introduced since the middle of the summer, 2009, as well as 
the most recent ones, with all of them using/having used 
the services of [3]AS:38356. 

789 


£ 


Parked at [4]222.35.137.234; [5J222.35.137.235; 
[6J222.35.137.236; [7J222.35.137.237; [8J222.35.137.238 
as of 

Monday, November 18 are the following money mule 
recruitment domains: 

affina-groupsvc .cc - Email: justin _dickerson@ymail.com 

altgroupco .cn - Email: abuseemaildhcp@gmail.com 

alt-groupco .net - Email: MarcusStraker909@gmail.com 

annuity-groupnet .cc - Email: justin 
_dickerson@ymail.com 

archway-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

armor-groupco .cc - Email: defrankpo@gmail.com 

ava-group .cc - Email: Gregory.Michell2009@yahoo.com 

ava-group .cn - Email: Gregory.Michell2009@yahoo.com 

ava-groupsvc .cc - Email: 
Gregory.Michell2009@yahoo.com 


avagroupsvc .cn - Email: 

Gregory.Michell2009@yahoo.com 

bfs-groupinc .cc - Email: defrankpo@gmail.com 

braingroupmain .cn - Email: abuseemaildhcp@gmail.com 
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brain-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

ccn-groupco .cn - Email: Gregory.Michell2009@yahoo.com 

cdi-groupmain .cn - Email: garry_honn@yahoo.com 

cosco-groupmain .cn - Email: andrew_cc@yahoo.com 

criscom-group .cc - Email: 
Gregory.Michell2009@yahoo.com 

criscomgroupco .cn - Email: 
Gregory.Michell2009@yahoo.com 

criscom-groupinc .cc - Email: 
Gregory.Michell2009@yahoo.com 

cronos-group .net - Email: MarcusStraker909@gmail.com 
cronos-groupinc .cn - Email: abuseemaildhcp@gmail.com 
cronos-groupinc .com - Email: bias@co5.ru 
cronosgroupsvc .cn - Email: abuseemaildhcp@gmail.com 
dove-groupli .cn - Email: abuseemaildhcp@gmail.com 
entrustgroup .cn - Email: moldavimo@safe-mail.net 



extreme-groupinc .cn - Email: 
a buseemai I dhcp@gmail.com 


fairline-group .cn - Email: 
Gregory.Michell2009@yahoo.com 

flatgroupfly .cc - Email: steven Jucas _2000@yahoo.com 
full-controll .cc - Email: morgan.greg@yahoo.com 
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geniouspartner .cn - Email: morgan.greg@yahoo.com 

holding-group .cn - Email: ronny.greg@yahoo.com 

igt-groupco .cn - Email: abuseemaildhcp@gmail.com 

igtgroupinc .cn - Email: abuseemaildhcp@gmail.com 

igt-groupinc .com - Email: feet@freemailbox.ru 

index-groupinc .cn - Email: abuseemaildhcp@gmail.com 

index-groupinc .com - Email: taffy@blogbuddy.ru 

indexgroupinc .net - Email: 
MarcusStraker909@gmail.com 

index-groupmain .cn - Email: 
abuseemaildhcp@gmail.com 

ing-groupsvc .cn - Email: admin@emerge-groupnet.cn 

integrity-groupinc .cc - Email: justin 
_dickerson@ymail.com 


invalda-groupli .cn - Email: rocco _invalda@yahoo.com 

invalda-groupmain .cn - Email: rocco 
_invalda@yahoo.com 

invalda-groupmain .com - Email: chum@cheapmail.ru 
landgroupinc .cn - Email: abuseemaildhcp@gmail.com 
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landgroupinc .net - Email: MarcusStraker909@gmail.com 

land-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

land-groupsvc .com - Email: bias@co5.ru 

libertygroup .cc - Email: LindseyKimSI@gmail.com 

lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 

lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

margin-groupco .cn - Email: 
Gregory.Michell2009@yahoo.com 

margingroupinc .cn - Email: 
regory.Michell2009@yahoo.com 

massivegroupsvc .cn - Email: 
abuseemaildhcp@gmail.com 

mastergroupinc .cn - Email: abuseemaildhcp@gmail.com 
master-groupinc .com - Email: taffy@blogbuddy.ru 
master-groupsvc .cn - Email: taffy@blogbuddy.ru 



mellis-group .cn - Email: abuseemaildhcp@gmail.com 

mellis-groupmain .cn - Email: 
abuseemaildhcp@gmail.com 
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mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

nvidia-groupnet .cn - Email: 
Gregory.Michell2009@yahoo.com 

nvidia-groupsvc .cn - Email: 
Gregory.Michell2009@yahoo.com 

opm-groupli .com - Email: entrap@namebanana.net 

phoenix-groupco .net - Email: 
MarcusStraker909@gmail.com 

phoenix-groupmain .cn - Email: 
abuseemaildhcp@gmail.com 

premier-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

premier-groupinc .com - Email: gone@corporatemail.ru 

premier-groupnet .cc - Email: justin 
_dickerson@ymail.com 

prime-groupco .cn - Email: abuseemaildhcp@gmail.com 
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupco .cc - Email: justin _dickerson@ymail.com 


puritan-groupco .cn - Email: abuseemaildhcp@gmail.com 

puritan-groupinc .cn - Email: 
abuseemaildhcp@gmail.com 

puritan-groupinc .com - Email: gone@corporatemail.ru 
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realtek-groupnet .cn - Email: 
Gregory.Michell2009@yahoo.com 

realtekgroupsvc .cn - Email: 
Gregory.Michell2009@yahoo.com 

reddbutton .cn - Email: morgan.greg@yahoo.com 

redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 

redeye-groupinc .cn - Email: abuseemaildhcp@gmail.com 

regency-groupco .com - Email: gone@corporatemail.ru 

regency-groupnet .cc - Email: justin 
_dickerson@ymail.com 

regency-groupnet .cn - Email: 
abuseemaildhcp@gmail.com 

safegroupsvc .cn - Email: 
Gregory.Michell2009@yahoo.com 

saturn-groupsvc .cn - Email: darry_wisp@yahoo.com 

scope-group .cn - Email: don.ram@yahoo.com 

scope-groupmain .cc - Email: darry_wisp@yahoo.com 


scope-groupmain .cn - Email: 
a buseemai I dhcp@gmail.com 

stargroupinc .cn - Email: abuseemaildhcp@gmail.com 
star-groupinc .net - Email: MarcusStraker909@gmail.com 
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star-groupsvc .cn - Email: abuseemaildhcp@gmail.com 

star-groupsvc .com - Email: taffy@blogbuddy.ru 

summit-groupinc .cn - Email: 
Gregory.Michell2009@yahoo.com 

theblackend .cn - Email: morgan.greg@yahoo.com 

totallysmiled .cn - Email: morgan.greg@yahoo.com 

vector-groupfine .cn - Email: justin 
_dickerson@ymail.com 

vision-groupinc .cc - Email: vision-groupinc.cc 
vision-groupsvc .com - Email: gone@corporatemail.ru 
windcontrol .cc - Email: morgan.greg@yahoo.com 

Nothing's isolated, everything's connected, and sadly 
orchestrated by a very distinct set of cybercrime enter¬ 
prises, the market share leaders. 

Related posts: 

[9]Standardizing the Money Mule Recruitment Process 



[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[12] Inside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recrmtment.html 

2. http://www.fbi. a ov/pressrel/pressrel09/ach 110309.htm 

3. http://www. a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:38356 

4. http://whois.domaintools.com/222.35.137.234 

5. http://whois.domaintools.com/222.35.137.235 

6. http://whois.domaintools.com/222.35.137.236 

7. http://whois.domaintools.com/222.35.137.237 

8. http://whois.domaintools.com/222.35.137.238 

9. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
monev-mule-recruitment.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

11. http://ddanchev.blo as pot.com/2QQ8/lQ/monev-mules- 
s vndicate-activelv.html 


































12. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

13. http://ddanchev.blo as pot.com/ 

796 

One Year Worth of Zeus Crimeware Development 
Through the Eyes of the Cybercriminal (2009-11-16 
23:31) Despite the fact that the Zeus crimeware kit is a 
victim of" 

Managed Cybercrime-as-a-Services as a commodity 

Related posts: 
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Massive Scareware Serving Blackhat SEO, the 
Koobface Gang Style (2009-11-17 22:36) 

[l]Ali Baba and the 40 thieves LLC are once again multi¬ 
tasking, this time compromising [2]hundreds of thousands 
of web sites, and redirecting Google visitors - through the 
standard http referrer check - to [3]scareware serving 
domains. 

What's so special about the domains mentioned in 
Cyveillance's post, as well as the ones currently active on 
this campaign? It's the Koobface connection. 

For instance, the ionisationtools .cn or moored2009 .cn 

redirectors, as well as the scareware serving premium- 
protection6 .com; file-antivirus3.com; checkalldata 











.com; foryoumalwarecheck4 .com; antispy-scanl 
.com mentioned in post, are the same scareware redirectors 
and domains analyzed in [4]part two of the Koobface 
Botnet's Scareware Business Model series. The identical 
structure on a sampled Koobface infected host and a 
sampled 

compromised site can be seen in the attached screenshots. 
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The redirection "magic" takes place through a what looks 
like a static [5]css.js (Trojan-Downloader.JS.FraudLoad) 

uploaded on all of the affected sites. The very latest 
blackhat SEO once again puts the Koobface gang in the 
spotlight of the ongoing underground multi-tasking that the 
majority of cybercriminals engage in these days. 

Related posts: 

[6] Koobface Botnet's Scareware Business Model - Part Two 

[7] Koobface Botnet's Scareware Business Model - Part One 

[8] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[9] New Koobface campaign spoofs Adobe's Flash updater 

[10] Social engineering tactics of the Koobface botnet 
[lljKoobface Botnet Dissected in a TrendMicro Report 

[12] Koobface Botnet's Scareware Business Model 

[13] Movement on the Koobface Front - Part Two 


[14] Movement on the Koobface Front 

[15] Koobface - Come Out, Come Out, Wherever You Are 

[16] Dissecting Koobface Worm's Twitter Campaign 

[17] Dissecting the Koobface Worm's December Campaign 

[18] Dissecting the Latest Koobface Facebook Campaign 

[19] The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from [20]Dancho Danchev's 
blog. 
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Massive Scareware Serving Blackhat SEO, the 
Koobface Gang Style (2009-11-17 22:36) 

[l]Ali Baba and the 40 thieves LLC are once again multi¬ 
tasking, this time compromising [2]hundreds of thousands 
of web sites, and redirecting Google visitors - through the 
standard http referrer check - to [3]scareware serving 
domains. 

What's so special about the domains mentioned in 
Cyveillance's post, as well as the ones currently active on 
this campaign? It's the Koobface connection. 

For instance, the ionisationtools .cn or moored2009 .cn 

redirectors, as well as the scareware serving premium- 
protection6 .com; file-antivirus3.com; checkalldata 
.com; foryoumalwarecheck4 .com; antispy-scanl 
.com mentioned in post, are the same scareware redirectors 
and domains analyzed in [4]part two of the Koobface 
Botnet's Scareware Business Model series. The identical 
structure on a sampled Koobface infected host and a 
sampled 

compromised site can be seen in the attached screenshots. 
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The redirection "magic" takes place through a what looks 
like a static [5]css.js (Trojan-Downloader.JS.FraudLoad) 

uploaded on all of the affected sites. The very latest 


blackhat SEO once again puts the Koobface gang in the 
spotlight of the ongoing underground multi-tasking that the 
majority of cybercriminals engage in these days. 

Related posts: 

[6] Koobface Botnet's Scareware Business Model - Part Two 

[7] Koobface Botnet's Scareware Business Model - Part One 

[8] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[9] New Koobface campaign spoofs Adobe's Flash updater 

[10] Social engineering tactics of the Koobface botnet 
[lljKoobface Botnet Dissected in a TrendMicro Report 

[12] Koobface Botnet's Scareware Business Model 

[13] Movement on the Koobface Front - Part Two 

[14] Movement on the Koobface Front 

[15] Koobface - Come Out, Come Out, Wherever You Are 

[16] Dissecting Koobface Worm's Twitter Campaign 

[17] Dissecting the Koobface Worm's December Campaign 

[18] Dissecting the Latest Koobface Facebook Campaign 

[19] The Koobface Gang Mixing Social Engineering Vectors 
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This post has been reproduced from [20]Dancho Danchev's 
blog. 
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"Your mailbox has been deactivated" Spam 
Campaign Serving Crimeware (2009-11-17 23:11) 

An ongoing [l]"Your mailbox has been deactivated" themed 
[2]spam campaign is pushing crimeware as an attached 


[3]utility.zip archive. 

































Subject: your mailbox has been deactivated 


Message: " We are contacting you in regards to an unusual 
activity that was identified in your mailbox. As a result, your 
mailbox has been deactivated. To restore your mailbox, you 
are required to extract and run the attached mailbox utility. 
Best regards, hush.com technical support. " 

Different signatures used: " From Webmail Help Desk; 
From hush.com technical support; From msmvps.com 
technical support; From ahnlab.com technical support; From 
symantec.com technical support' 

Sampled obtained phones back to 193.104.27 
.9l/limpopo/bb.php?id=636608811 &v=200 &tm = 2 
&b=4316315581; 193.104.27 .91/limpopo/bb.php? 
id=554275088 &v=200 &tm = 8 &b=4316315581 
&tid=ll &r=l, from where it 804 

downloads [4]promed-net .com/css/abs.exe 

(97.74.144.118; Email: ninemed@ninemedical.com ) which 
phones back to 231307d91138.bauhath.com/get.php? 
c=QPTUDBSV &d = , downloading [5]91.213.72 .51/ldr7.exe 
which 

phones back to 193.104.27 .42/lcc/ip2.gif which is 
TrojWare.Win32.TrojanSpy.Zbot.Gen 

[6]AII of these IPs are [7]not surprisingly known Zeus 

[8] crimeware hosts. 

Related phone-back locations parked on the same IP - 

[9] 94.75.221.76: 

koralda .com - Email: owner@koralda.com 
antiona .com - Email: owner@antiona.com 



lambrie .com - Email: owner@lambrie.com 
bauhath .com - Email: owner@bauhath.com 
agulhal .com - Email: owner@agulhal.com 
lantzel .com - Email: owner@lantzel.com 
bourgum .com - Email: owner@bourgum.com 
101607d91120.koralda .com 
141607d91121. kora Ida .com 
121607d91122.koralda .com 
161607d91123.koralda .com 
141607d91124. kora Ida .com 
181607d91125.koralda .com 
011607d91106.koralda .com 
171507d91116.koralda .com 
161607d91126.koralda .com 
231507d91107.koralda .com 
201607d91127.koralda .com 
031607d91108.koralda .com 
191507d91118.koralda .com 
011607d91109.koralda .com 


171507d91119.koralda .com 



221607d91129.koralda .com 


201607d9112a.koralda .com 
031607d9110b.koralda .com 
191507d9111b.koralda .com 
081607d9111b.koralda .com 
221607d9112c.koralda .com 
101607d9111d.koralda .com 
081607d9111e.koralda .com 
121607d9111f.koralda .com 
211507d91131.antiona .com 
231507d91133.antiona .com 
081207d91134.antiona .com 
121607d91115.antiona .com 
001307d91106.antiona .com 
201307d91108.antiona .com 
121107d91128.antiona .com 
021107d91129.antiona .com 
221307d9110a.antiona .com 
231107d9111a.antiona .com 
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230907d9111b.antiona .com 


041107d9112b.antiona .com 
011207d9111c.antiona .com 
081307d9110d.antiona .com 
061107d9112d.antiona .com 
191407d9112d.antiona .com 
171307d9111f.antiona .com 
211407d9112f.antiona .com 
042707d90914.agrigid .com 
101607d91121.lambrie .com 
121607d91122.lambrie .com 
141607d91124.lambrie .com 
161607d91126.lambrie .com 
231507d91107.lambrie .com 
181607d91128.lambrie .com 
011607d91109.lambrie .com 
171507d91119.lambrie .com 
201607d9112a.lambrie .com 
031607d9110b.lambrie .com 


191507d9111b.lambrie .com 



221607d9112c.lambrie .com 


081607d9111e.lambrie .com 
081607d91100.bauhath .com 
071607d91130.bauhath .com 
121607d91101.bauhath .com 
201607d91111.bauhath .com 
221307d91102.bauhath .com 
051107d91122.bauhath .com 
141607d91103.bauhath .com 
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151207d91113.bauhath .com 
221607d91113.bauhath .com 
221307d91104.bauhath .com 
071107d91124.bauhath .com 
171207d91115.bauhath .com 
051007d91126.bauhath .com 
091107d91126.bauhath .com 
101607d91107.bauhath .com 


191207d91117.bauhath .com 


051207d91127.bauhath .com 
071007d91128.bauhath .com 
071207d91128.bauhath .com 
121607d91109.bauhath .com 
211207d91119.bauhath .com 
091007d9112a.bauhath .com 
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131107d9112a.bauhath .com 
091207d9112a.bauhath .com 
051607d9113a.bauhath .com 
231207d9111b.bauhath .com 
091607d9113b.bauhath .com 
141607d9110c.bauhath .com 
111007d9112c.bauhath .com 
111207d9112c.bauhath .com 
161607d9110d.bauhath .com 
071607d9112d.bauhath .com 
181607d9110f.bauhath .com 
181007d91132.edvehal .com 


181007d91135.edvehal .com 



181207d91110.agulhal .com 
091007d91120.agulhal .com 
211007d91130.agulhal .com 
041307d91130.agulhal .com 
111007d91122.agulhal .com 
061307d91132.agulhal .com 
131207d91123.agulhal .com 
131007d91124.agulhal .com 
151207d91125.agulhal .com 
230907d91116.agulhal .com 
151007d91126.agulhal .com 
061207d91127.agulhal .com 
011007d91118.agulhal .com 
171007d91128.agulhal .com 
031007d9111a.agulhal .com 
021207d9111b.agulhal .com 
121107d9113b.agulhal .com 
051007d9111c.agulhal .com 
011107d9110d.agulhal .com 
041207d9111d.agulhal .com 




191007d9112d.agulhal .com 
161207d9110e.agulhal .com 
071007d9111e.agulhal .com 
141607d91100.lantzel .com 
081607d91100.lantzel .com 
221607d91110.lantzel .com 
121607d91101.lantzel .com 
171207d91111.lantzel .com 
201607d91111.lantzel .com 
071107d91121.lantzel .com 
051107d91122.lantzel .com 
141607d91103.lantzel .com 
151207d91113.lantzel .com 
191207d91113.lantzel .com 
221607d91113.lantzel .com 
051007d91123.lantzel .com 
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091107d91123.lantzel .com 
051207d91123.lantzel .com 


101607d91104.lantzel .com 



071107d91124.lantzel .com 
211207d91115.lantzel .com 
171207d91115.lantzel .com 
071007d91125.lantzel .com 
111107d91125.lantzel .com 
071207d91125.lantzel .com 
121607d91106.lantzel .com 
051007d91126.lantzel .com 
091107d91126.lantzel .com 
051207d91126.lantzel .com 
101607d91107.lantzel .com 
231207d91117.lantzel .com 
191207d91117.lantzel .com 
091007d91127.lantzel .com 
131107d91127.lantzel .com 
091207d91127.lantzel .com 
051607d91137.lantzel .com 
141607d91108.lantzel .com 
071007d91128.lantzel .com 
111107d91128.lantzel .com 



071207d91128.lantzel .com 
091607d91138.lantzel .com 
121607d91109.lantzel .com 
211207d91119.lantzel .com 
111007d91129.lantzel .com 
111207d91129.lantzel .com 
071607d91139.lantzel .com 
161607d9110a.lantzel .com 
091007d9112a.lantzel .com 
131107d9112a.lantzel .com 
091207d9112a.lantzel .com 
111607d9113a.lantzel .com 
051607d9113a.lantzel .com 
141607d9110b.lantzel .com 
231207d9111b.lantzel .com 
091607d9113b.lantzel .com 
181607d9110c.lantzel .com 
111007d9112c.lantzel .com 
111207d9112c.lantzel .com 
161607d9110d.lantzel .com 




201607d9110e.lantzel .com 


151207d9110f.lantzel .com 
181607d9110f.lantzel .com 
051107d9111f.lantzel .com 
131507d91100.bourgum .com 
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231507d91130.bourgum .com 
221207d91101.bourgum .com 
211507d91131.bourgum .com 
001307d91103.bourgum .com 
231507d91133.bourgum .com 
001107d91124.bourgum .com 
081207d91134.bourgum .com 
201307d91105.bourgum .com 
121607d91115.bourgum .com 
001307d91106.bourgum .com 
021107d91126.bourgum .com 
091207d91107.bourgum .com 
221307d91107.bourgum .com 
231107d91117.bourgum .com 



201307d91108.bourgum .com 
230907d91118.bourgum .com 
121107d91128.bourgum .com 
041107d91128.bourgum .com 
211007d91138.bourgum .com 
011207d91119.bourgum .com 
021107d91129.bourgum .com 

Naturally, the campaign isn't an isolated incident, with 

[10] previous "Facebook updated account agreement" 

themed ones, using the same phone back locations as the 
currently ongoing one. 

Related posts: 

[11] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[12] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [13]Dancho Danchev's 
blog. 

1. http://search.twitter.com/search?g = mailbox+deactivated 

2. htto ://www.sophos.com/blo as/ac/a /2 009/11/17/mai I box- 
deactivated/ 


3 . 








http://www.vi rustotal.com/analisis/e61cQ1697fe928360dd 7 

2bbbbd24dcd2ebfcce46f718d384f47be66e22c8ee51- 

12584 

75037 

4. 

http://www.virustotal.com/analisis/27798e6f384f94QQdef8df 

ab97566a4d!3345449ac926d6a44963f7b97f54cc7-12584 

1275Q 

5. 

http://www.virustotal.com/analisis/39d8ad95bQ323c37bd31 

34ab93ac4af44c66ala8443a41clac02cecl9bb2816a- 

12584 

12320 

6. https://zeustracker.abuse.ch/monitor. ohp? 
host=193.1Q4.27.91 

7. https://zeustracker.abuse.ch/monitor. ohp? 
host=193.104.27.42 


8. https://zeustracker.abuse.ch/monitor. ohp? 
host=91.213.72.51 

9. http://whois.domaintools.com/94.75.221.76 

10. http://blo a .mxlab.eu/2QQ9/ll/Q7/facebook-uodated- 
account-a a reement-email-contains-sasfis-tro i an/ 


11. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s oam-camoai a n-serves-zeus.html 































12. http://ddanchev.blo as pot.com/2QQ9/07/multitaskin a- 
fast-flux-botnet-that.html 


13. http://ddanchev.blo as pot.com/ 
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Scareware Campaign Using Google Sponsored Links 
(2009-11-19 00:30) 

A scareware campaign is currently using Google sponsored 
ads, and by hijacking a decent number of well positioned 
keywords, is attempting to trick visitors into installing 
scareware featuring several new templates. This is, of 
course, not the first and definitely not the last time 
scareware campaigners are using highly targeted legitimate 
networks in order to reach potential audience by making an 
investment into the traffic acquisition practice. 

However, compared to the "long tail centered" blackhat 
SEO, the use of legitimate ad networks would never reach a 
positive ROI, like the one achieved by dynamic syndication 
of legitimate content and monetizing it through 

scareware. 
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Scareware domains seen in circulation: 

adwarealert .com - 75.125.200.226 
adware-pro-2009 .com - 209.216.193.113 







adwareprosite .com - 188.121.46.1 - Email: 
pedrocanas75@gmail.com 

adwarepro-site .com - 209.216.193.101 - Email: 
pedrocanas75@gmail.com 

antimalwarenow .com - 173.201.0.128 

anti-malware-pro .org - 209.216.193.103 - Email: 
pedrocanas75@gmail.com 
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antimalware-software .com - 209.216.193.11 

antimalware-software .org - 209.216.193.106 - Email 
pedrocanas75@gmail.com 

get-spyware-destroyer .com - 63.243.188.37 - Email: 
admin@upclick.com 

macrovirus .com - 75.125.152.58 

malwareprofessional .com - 74.205.8.6 

813 
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theantimalware .com - 173.201.0.12 
adware-pro-live .com - 209.216.193.9 
antivirus-live-pro .com - 209.216.193.9 
antivirus-live-pro .org 


antivirus-live-software .com 


antivirus-pro-live .com 
antiviruspro-live .com 

Sample detection rates: [lJanti-malware-application.exe; 
[2]malware _professional.exe; [3]macro _virus.exe; 

[4]antimalware _pro.exe; [5]spyware _destroyer.exe; 
[6]AdwarePro _Setup.exe; [7]AdwarePro _Setup06.exe; 
[8]Ad- 

warePro _Setup2305.exe. 

Consider going through the [9]The Ultimate Guide to 
Scareware Protection detailing alternative traffic 
acquisition approaches used by scareware campaigners, as 
well as the related posts dissecting recent blackhat SEO 

campaigns. 

Related posts: 

[10] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[11] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign 

[12] U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding 

814 

[13] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 



[14] A Peek Inside the Managed Blackhat SEO Ecosystem 

[15] Dissecting a Swine Flu Black SEO Campaign 

[16] Massive Blackhat SEO Campaign Serving Scareware 

[17] From Ukrainian Blackhat SEO Gang With Love 

[18] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[19] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[20] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [21 JDancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/6cf493ec3889eae6270Q4 

b61895ea90fc3b55Qab0Q8a44a9d8f3f095f8d4d089-12585 

82577 

2 . 

http://www.virustotal.com/analisis/ac365eebcea659b33798 

1537047e22ad517558dc8175b3f5f37fl47df44157df- 

12585 

82886 

3. 

http://www.virustotal.com/analisis/66747cb6Qb4f3587761fe 

27d6015220324c74d7c732b9427acb985ee00799970- 











12585 


82760 

4. 

http://www.virustotal.com/analisis/07f93b61e2aa2203393f0 

e63d96e31625ebfb7571752e88f46b34e4a9e7f9066-12585 

82969 

5. 

http://www.virustotal.com/analisis/279377545fc37b231028 

638c3c80f3363b5d48d0072dladf321cf90118b92124- 

12585 

83187 

6 . 

http://www.virustotal.com/analisis/3e9559961ea43b3f603fe 

bf342b72809f03f79f3b7e9c56bfdc49fb9732d52ef-12585 

83234 

7. 

http://www.virustotal.com/analisis/e89f85f7d96fc2c3a396a 

b0c85cdbba543cf47c5048bd81fa516857d04ald37d-12585 

83418 

8 . 

http://www.virustotal.com/analisis/dle012fe55fld015e86cl 

a8el3dd9f278546d46c3e750f0e985bd9a587c90466- 

12585 




















83461 


9. http://blo a s.zdnet.com/securit v/? p=4297 

10. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

11. http://ddanchev.blo as pot.com/2009/Q8/dissectin a- 
ona oin a -us-federal-forms.html 

12. http://ddanchev.blo as pot.com/2009/Q8/us-federal- 
forms-blackhat-seo-themed.html 


13. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
campai a n-hi i acks-us.html 

14. http://ddanchev.blo as pot.com/20Q9/Q6/peek-inside- 
mana a ed-blackhat-seo.html 

15. http://ddanchev.blo as pot.com/2009/Q5/dissectin a- 
swine-flu-black-seo-campai a n.html 

16. http://ddanchev.blo as pot.com/2009/Q4/massive- 
blackhat-seo-campai a n-servin a .html 

17. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

18. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with_09.html 

19. http://ddanchev.blo as pot.com/2009/Q6/from-ukraine- 
with-scareware-servin a .html 

20. http://ddanchev.blo as pot.com/2009/Q6/fake-web- 
hostin a- provider-front-end-to.html 


21. http://ddanchev.blo as pot.com/ 
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Koobface Botnet Starts Serving Client-Side Exploits 
(2009-11-25 20:09) 

UPDATED, Wednesday, December 02, 2009: The 

systematic rotation of new redirectors and scareware 
domains 

remains ongoing, with no signs of resuming the use of 
client-side exploits. 

Some of the latest ones include inviteerverwhere .cn - 
Email: box@cethcuples.com -> scanner-infoa .com - 

Email: inout@celestia.com, 

[1] scareware detection rate 

; leconomyguide .cn - Email: contact@berussa.de -> 
superdefenceaj .com - Email: inout@celestia.com, 

[2] scareware detection rate; slip-stream .cn - Email: 
info@mercedess.de-> getsafeantivirusa .com - Email: 
morri-son2g@yahoo.com, [3]scareware detection rate. 

The complete list of redirectors introduced over the past 
week is as follows: leconomyguide .cn; lmonocline 

.cn; lnonsensical .cn; lonlinestarter .cn; lpolitical- 
news .cn; argentinastyle .cn; australiagold .cn; 
austriamoney 

.cn; beatupmean2 .cn; belgiumnation .cn; 
brazilcountry .cn; firefoxfowner .cn; 
inviteerverwhere .cn; iraqcontacts 


.cn; makenodifference2 .cn; manualgreese .cn; 
overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; 
separator2009 

.cn; slip-stream .cn; solidresistance .cn; 
wallgreensmart .cn; windowsclone .cn; 
womenregrets .cn; womenregrets2 


.cn 

UPDATED, Saturday, November 28, 2009: 

Following yesterday's experiment with bit.ly redirectors, re¬ 
lying on a "visual social engineering element" by adding 
descriptive domains after the original link - 

bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which 
works with any generated bit.ly link, the gang is now 
spamvertising links using Google News redirection to 
automatically registered Blogspot accounts, whose 

[4] CAPTCHA challenge has been solved by the already 
infected with Koobface victims, a feature that is now 
mainstream, compared to the gang's previous use of 

[5] commercial CAPTCHA solving services, where the price 
for a thousand solved CAPTCHAs 

varies between $1 and $2: 

- news.google.com/news/url? 
url=http://pierrickcastoe .blogspot.com/ 

- news.google.com/news/url? 

url = http://biilybiilybangert .blogspot.com/ 


- news.google.com/news/url? 

url = http://majdimajdinoordijk .blogspot.com/ 
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- news.google.com/news/url? 
url=http://vassellpelovska .blogspot.com/ 

- news.google.com/news/url? 

url = http://troitroiweinbrenner .blogspot.com/ 

- news.google.com/news/url?url = http://keyserefrain 
.blogspot.com/ 

New redirectors introduced include: 

overmerit3 .cn - Email: admin@cryzisday.com 

belgiumnation .cn - Email: vesta@greaselive.au 

iraqcontacts .cn - Email: admin@resemm.de 

womenregrets .cn - Email: admin@resemm.de 

wallgreensmart .cn - Email: admin@cryzisday.com 

brazilcountry .cn - Email: vesta@greaselive.au 

womenregrets2 .cn - Email: in@groovezone.com 

News scareware domains introduced include: 

internetdefencesystem .com - Email: 
admin@wyverny.com 

royalsecure-al .com - Email: in@groovezone.com 
royaldefencescanl .com - Email: in@groovezone.com 
royaldefensescanl .com - Email: in@groovezone.com 



royaldefencescan .com - Email: contacts@esseys.au 
royaldefensescan .com - Email: contacts@esseys.au 
royalprotectionscan .com - Email: contacts@esseys.au 

[6] Sampled copy phones back to a new domain 

(austin2reed .com/?b=lsl; austin2reed .com/?b=l) 

using the same IP (92.48.119.36) as the previous phone- 
back domain. 

UPDATED, Thursday, November 26, 2009: The gang 
has currently suspended the use of client-side exploits, let's 
see if it's only for the time being or indefinitely. Scareware is 
whatsoever, introduced with periodically registered new 
domains - argentinastyle .cn - Email: 
vesta@greaselive.au and australiagold .cn - Email: 
vesta@greaselive.au, redirect to bestscan066 .com - 
Email: fransysles2@yahoo.com and to bestscan044 .com - 
Email: fransysles2@yahoo.com - 

[7] detection rate. 

The exploit serving domains (el3x .cn; kiano-180809 
.com and ttt20091124 .info) remain active. 

The Koobface botnet, a case study on propagation relying 
exclusively on social engineering tactics and system¬ 
atic abuse of legitimate Web 2.0 services, has introduced a 
second "game-changer" next to the [8]migration to 
distributed command and control infrastructure once its 
[9]centralized operations got shut down. 

Next to the embedded and automatically rotating scareware 
redirects placed on each and every infected host part of the 



Koobface botnet, the gang behind it has now started 
officially using client-side exploits ( [10]VBS/Psyme.BM; 

[11 ]Exploit. Pidief EX; [12]Exploit. Win32. IMG- WMF etc. ) by 
embedding two iFrames on all the Koobface-infected 
hosts ( Underground Molotov - function molot (m)), which 
connect to a well known (average) web malware 
exploitation kit's interface. Not only would a user that clicks 
on the Koobface URL be exposed to the Koobface binary 
itself, now pushed through client-side exploits, but also, to 
the periodically changed scareware domains. 
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Let's dissect the campaign, expose the entire domains 
portfolio involved or introduced since the beginning of the 
week, and once again establish a connection between the 
Koobface gang and money mule recruitment scams 

followed by scareware domains ([ 13]lnst _312s2.exe; 

[ 14]Inst _312s2.exe from [15]today, both of them phone 
back to [16]angle-meter .com/?b=l), all registered using 
the same emails. 

Scareware redirectors seen during the past couple of the 
days, parked at 91.213.126.250: 

solidresistance .cn - Email: admin@cryzisday.com 

separator2009 .cn - Email: admin@cryzisday.com 

zapotec2 .cn - Email: admin@cryzisday.com 

befree2 .cn - Email: gmk2000@yahoo.com 

entombing2009 .cn - Email: info@grindsteal.fr 


economyguide .cn - Email: info@plaguegr.de 
smile-life .cn - Email: gmk2000@yahoo.com 
everlastmovie .cn - Email: gmk2000@yahoo.com 
monocline .cn - Email: info@plaguegr.de 
mozzillaclone .cn - Email: sanbeans6@yahoo.com 
monkey-greese .cn - Email: sanbeans6@yahoo.com 
surgingnurse .cn - Email: info@grindsteal.fr 
mailboxinvite .cn - Email: sanbeans6@yahoo.com 
flatletkick .cn - Email: info@plaguegr.de 
nonsensical .cn - Email: info@grindsteal.fr 
moralisefilm .cn - Email: info@grindsteal.fr 
firefoxavatar .cn - Email: sanbeans6@yahoo.com 
onlinestarter .cn - Email: info@plaguegr.de 
clowncirus .cn - Email: sanbeans6@yahoo.com 
political-news .cn - Email: info@plaguegr.de 
harry-pott .cn - Email: gmk2000@yahoo.com 
repeatability .cn - Email: info@grindsteal.fr 
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New scareware domains portfolio parked at 95.143.192.51; 
83.133.119.84; 91.213.126.103: 

valuewebscana .com - Email: lynd.stafford@yahoo.com 

valuescana .com - Email: lynd.stafford@yahoo.com 

cyber-scan-1 .com - Email: admin@dedicatezoom.com 

yourantispy-1 .com - Email: shah 
_indigo@googlemail.com 

cyber-scanOll .com - Email: admin@dedicatezoom.com 

cyber-scan-2 .com - Email: admin@dedicatezoom.com 

antimalware-3 .com - Email: shah 
_indigo@googlemail.com 

yourmalwarescan3 .com - Email: shah 
_indigo@googlemail.com 

antimalwarescana4 .com - Email: 
j.wirth@smsdetective.com 

today-scan4 .com - Email: millercall413@yahoo.com 

antispy-scan5 .com - Email: shah 
_indigo@googlemail.com 

yourantivira7 .com - Email: j.wirth@smsdetective.com 
yourmalwarescan7 .com - Email: info@bellyn.com 
yourantispy-8 .com - Email: info@bellyn.com 
cyber-scan08 .com - Email: admin@dedicatezoom.com 



cyber-scan09 .com - Email: admin@dedicatezoom.com 

beprotected9 .com - Email: essi@calinsella.eu 

spyware-scan9 .com - Email: info@bellyn.com 

yourantispy-a .com - Email: shah 
_indigo@googlemail.com 

checkforspywarea .com - Email: sanbeans6@yahoo.com 

checkfilesherea .com - Email: sanbeans6@yahoo.com 

scanfilesherea .com - Email: sanbeans6@yahoo.com 

findprotectiona .com - Email: admin@wyverny.com 

checkfilesnowa .com - Email: sanbeans6@yahoo.com 

web-scanm .com - Email: essi@calinsella.eu 

today-scann .com - Email: essi@calinsella.eu 

4eay-protection .com - Email: millercall413@yahoo.com 

The client-side exploit redirection takes place through three 
separate domains, all involved in previous Zeus 

crimeware campaigns, parked on the same IP in a 
cybercrime-friendly ASN. For instance, 

el3x.cn/testl3/index.php 

- [17J210.51.166.119 - Email: Exmanoize@qip.ru redirects 

to el3x.cn/testl3/x.x -> el3x.cn/testl3/pdf.php -> 
el3x.cn/testl3/load.php?spi=javad -> 
el3x.cn/testl3/soc.php using [18]VBS/Psyme.BM; 

[19 ] Exploit. Pidief. EX; 



[20]Exploit. Win32.IMG-WMF etc. pushing [21Jload.exe, 
which phones back to a well known "leftover" from Koobface 
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botnet's centralized infrastructure - xtsd20090815 
.com/adm/index.php 

Now it gets even more interesting, with the Koobface gang 
clearly rubbing shoulders with authors of actual 

web malware exploitation kits, who diversify their 
cybercrime operations by participating in money mule 
recruitment scams, zeus crimeware serving campaigns, and 
scareware. 

Parked on [22]210.51.166.119 where the first iFrame is 
hosted, are also the following domains participating in 
related campaigns: 

amerOtestO .cn - Email: abusehostserver@gmail.com -> 
[23]money mule recruitment 

antivirusfreecO .cn - Email: abusehostserver@gmail.com - 
> [24]money mule recruitment 

arendanomer2 .cn - Email: Exmanoize@qip.ru 

domOcn .cn - Email: Exmanoize@qip.ru 

domlcn .cn - Email: Exmanoize@qip.ru 

dom2cn .cn - Email: Exmanoize@qip.ru 

domxO .cn - Email: Exmanoize@qip.ru 

domxl .cn - Email: Exmanoize@qip.ru 
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domx2 .cn - Email: Exmanoize@qip.ru 
doxO .cn - Email: Exmanoize@qip.ru 
doxl .cn - Email: Exmanoize@qip.ru 
dox2 .cn - Email: Exmanoize@qip.ru 
dox3 .cn - Email: Exmanoize@qip.ru 
edit2china .cn - Email: Exmanoize@qip.ru 
edit3china .cn - Email: Exmanoize@qip.ru 
ellx .cn - Email: Exmanoize@qip.ru 
el2x .cn - Email: Exmanoize@qip.ru 
el3x .cn - Email: Exmanoize@qip.ru 

gymOreplace .cn - Email: chen.poonl732646@yahoo.com 
-> [25]scareware domain registration 

herosimalyet .cn - Email: Exmanoize@qip.ru 

herosimalyetOOg .cn - Email: 
abusehostserver@gmail.com 

otherchina .cn - Email: Exmanoize@qip.ru 

parliament .tk - Email: royalddos@gmail.com 

privetl .cn - Email: Exmanoize@qip.ru 

privet2 .cn - Email: Exmanoize@qip.ru 


privet3 .cn - Email: Exmanoize@qip.ru 


sport-lab .cn - Email: abuseemaildhcp@gmail.com -> 
[26]money mule recruitment domain [27]registrations 
trafdomins .cn - Email: Exmanoize@qip.ru 

The second iFrame domain parked at [28]61.235.117.83 
redirects in the following way - kiano-180809 

.com/oko/help.html - 61.235.117.83 - Email: 
bigvillyxxx@gmail.com leads to kiano-180809 
.com/oko/dyna _soc.html -> kiano-180809 
.com/oko/tomato _guy _13.html -> kiano-180809 
.com/oko/update.vbe -> kiano-180809 .com/oko/dyna 
wm.wmf. 

The same exploitation structure is valid for the third iFrame 
domain -ttt20091124 .info/oko/help.html which is 
again, parked at 61.235.117.83 and was embedded at 
Koobface-infected hosts over the past 24 hours. 

What prompted this shift on behalf of the Koobface gang? 
Declining infection rates - I'm personally not see¬ 
ing a decline in the click-through rate, with over 500 clicks 
on a spamvertised Kooobface URL over a period of 24 

hours - or their obsession with traffic optimization? In terms 
of social engineering, the [29]periodic introduction of 821 

new templates proved highly successful for the gang, but 
the newly introduced outdated client-side exploits can in 
fact generate more noise than they originally anticipated, if 
they were to continue relying on [30]social engineering 
vectors only. 



One thing's certain - the Koobface gang is now on the 
offensive, and it would be interesting to see whether 

they'd introduce a new exploits set, or continue relying on 
the one offered by the web exploitation kit. 
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Koobface Botnet Starts Serving Client-Side Exploits 
(2009-11-25 20:09) 

UPDATED, Wednesday, December 02, 2009: The 

systematic rotation of new redirectors and scareware 
domains 

remains ongoing, with no signs of resuming the use of 
client-side exploits. 

Some of the latest ones include inviteerverwhere .cn - 
Email: box@cethcuples.com -> scanner-infoa .com - 

Email: inout@celestia.com, 

[l]scareware detection rate 























; leconomyguide .cn - Email: contact@berussa.de -> 
superdefenceaj .com - Email: inout@celestia.com, 
[2]scareware detection rate; slip-stream .cn - Email: 
info@mercedess.de -> getsafeantivirusa .com - Email: 
morri-son2g@yahoo.com, [3]scareware detection rate. 

The complete list of redirectors introduced over the past 
week is as follows: leconomyguide .cn; lmonocline 

.cn; lnonsensical .cn; lonlinestarter .cn; lpolitical- 
news .cn; argentinastyle .cn; australiagold .cn; 
austriamoney 

.cn; beatupmean2 .cn; belgiumnation .cn; 
brazilcountry .cn; firefoxfowner .cn; 
inviteerverwhere .cn; iraqcontacts 

.cn; makenodifference2 .cn; manualgreese .cn; 
overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; 
separator2009 

.cn; slip-stream .cn; solidresistance .cn; 
wallgreensmart .cn; windowsclone .cn; 
womenregrets .cn; womenregrets2 


.cn 

UPDATED, Saturday, November 28, 2009: 

Following yesterday's experiment with bit.ly redirectors, re¬ 
lying on a "visual social engineering element" by adding 
descriptive domains after the original link - 

bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which 
works with any generated bit.ly link, the gang is now 
spamvertising links using Google News redirection to 



automatically registered Blogspot accounts, whose 

[4] CAPTCHA challenge has been solved by the already 
infected with Koobface victims, a feature that is now 
mainstream, compared to the gang's previous use of 

[5] commercial CAPTCHA solving services, where the price 
for a thousand solved CAPTCHAs 

varies between $1 and $2: 

- news.google.com/news/url? 

url = http://pierrickcastoe .blogspot.com/ 

- news.google.com/news/url? 

url = http://biilybiilybangert .blogspot.com/ 

- news.google.com/news/url? 

url = http://majdimajdinoordijk .blogspot.com/ 

- news.google.com/news/url? 
url=http://vassellpelovska .blogspot.com/ 
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- news.google.com/news/url? 

url = http://troitroiweinbrenner .blogspot.com/ 

- news.google.com/news/url?url = http://keyserefrain 
.blogspot.com/ 

New redirectors introduced include: 
overmerit3 .cn - Email: admin@cryzisday.com 
belgiumnation .cn - Email: vesta@greaselive.au 
iraqcontacts .cn - Email: admin@resemm.de 
womenregrets .cn - Email: admin@resemm.de 



wallgreensmart .cn - Email: admin@cryzisday.com 

brazilcountry .cn - Email: vesta@greaselive.au 

womenregrets2 .cn - Email: in@groovezone.com 

News scareware domains introduced include: 

internetdefencesystem .com - Email: 
admin@wyverny.com 

royalsecure-al .com - Email: in@groovezone.com 
royaldefencescanl .com - Email: in@groovezone.com 
royaldefensescanl .com - Email: in@groovezone.com 
royaldefencescan .com - Email: contacts@esseys.au 
royaldefensescan .com - Email: contacts@esseys.au 
royalprotectionscan .com - Email: contacts@esseys.au 

[6]Sampled copy phones back to a new domain 

(austin2reed .com/?b= Isl; austin2reed .com/?b=l) 

using the same IP (92.48.119.36) as the previous phone- 
back domain. 

UPDATED, Thursday, November 26, 2009: The gang 
has currently suspended the use of client-side exploits, let's 
see if it's only for the time being or indefinitely. Scareware is 
whatsoever, introduced with periodically registered new 
domains - argentinastyle .cn - Email: 
vesta@greaselive.au and australiagold .cn - Email: 
vesta@greaselive.au, redirect to bestscan066 .com - 
Email: fransysles2@yahoo.com and to bestscan044 .com - 
Email: fransysles2@yahoo.com - 



[7]detection rate. 

The exploit serving domains (el3x .cn; kiano-180809 
.com and ttt20091124 .info) remain active. 

The Koobface botnet, a case study on propagation relying 
exclusively on social engineering tactics and system¬ 
atic abuse of legitimate Web 2.0 services, has introduced a 
second "game-changer" next to the [8]migration to 
distributed command and control infrastructure once its 
[9]centralized operations got shut down. 

Next to the embedded and automatically rotating scareware 
redirects placed on each and every infected host part of the 
Koobface botnet, the gang behind it has now started 
officially using client-side exploits ( [lOJVBS/Psyme.BM; 

[11 ]Exploit. Pidief. EX; [12]Exploit. Win32. IMG- WMF etc. ) by 
embedding two iFrames on all the Koobface-infected 
hosts ( Underground Molotov - function molot (m)), which 
connect to a well known (average) web malware 
exploitation kit's interface. Not only would a user that clicks 
on the Koobface URL be exposed to the Koobface binary 
itself, now pushed through client-side exploits, but also, to 
the periodically changed scareware domains. 
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Let's dissect the campaign, expose the entire domains 
portfolio involved or introduced since the beginning of the 
week, and once again establish a connection between the 
Koobface gang and money mule recruitment scams 


followed by scareware domains ([ 13]lnst _312s2.exe; 

[ 14]Inst _312s2.exe from [15]today, both of them phone 
back to [16]angle-meter .com/?b=l), all registered using 
the same emails. 

Scareware redirectors seen during the past couple of the 
days, parked at 91.213.126.250: 

solidresistance .cn - Email: admin@cryzisday.com 

separator2009 .cn - Email: admin@cryzisday.com 

zapotec2 .cn - Email: admin@cryzisday.com 

befree2 .cn - Email: gmk2000@yahoo.com 

entombing2009 .cn - Email: info@grindsteal.fr 

economyguide .cn - Email: info@plaguegr.de 

smile-life .cn - Email: gmk2000@yahoo.com 

everlastmovie .cn - Email: gmk2000@yahoo.com 

monocline .cn - Email: info@plaguegr.de 

mozzillaclone .cn - Email: sanbeans6@yahoo.com 

monkey-greese .cn - Email: sanbeans6@yahoo.com 

surgingnurse .cn - Email: info@grindsteal.fr 

mailboxinvite .cn - Email: sanbeans6@yahoo.com 

flatletkick .cn - Email: info@plaguegr.de 

nonsensical .cn - Email: info@grindsteal.fr 



moralisefilm .cn - Email: info@grindsteal.fr 
firefoxavatar .cn - Email: sanbeans6@yahoo.com 
onlinestarter .cn - Email: info@plaguegr.de 
clowncirus .cn - Email: sanbeans6@yahoo.com 
political-news .cn - Email: info@plaguegr.de 
harry-pott .cn - Email: gmk2000@yahoo.com 
repeatability .cn - Email: info@grindsteal.fr 
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New scareware domains portfolio parked at 95.143.192.51; 
83.133.119.84; 91.213.126.103: 

valuewebscana .com - Email: lynd.stafford@yahoo.com 

valuescana .com - Email: lynd.stafford@yahoo.com 

cyber-scan-1 .com - Email: admin@dedicatezoom.com 

yourantispy-1 .com - Email: shah 
_indigo@googlemail.com 

cyber-scanOll .com - Email: admin@dedicatezoom.com 

cyber-scan-2 .com - Email: admin@dedicatezoom.com 

antimalware-3 .com - Email: shah 
_indigo@googlemail.com 

yourmalwarescan3 .com - Email: shah 
_indigo@googlemail.com 


antimalwarescana4 .com - Email: 
j.wirth@smsdetective.com 

today-scan4 .com - Email: millercall413@yahoo.com 

antispy-scan5 .com - Email: shah 
_indigo@googlemail.com 

yourantivira7 .com - Email: j.wirth@smsdetective.com 

yourmalwarescan7 .com - Email: info@bellyn.com 

yourantispy-8 .com - Email: info@bellyn.com 

cyber-scan08 .com - Email: admin@dedicatezoom.com 

cyber-scan09 .com - Email: admin@dedicatezoom.com 

beprotected9 .com - Email: essi@calinsella.eu 

spyware-scan9 .com - Email: info@bellyn.com 

yourantispy-a .com - Email: shah 
_indigo@googlemail.com 

checkforspywarea .com - Email: sanbeans6@yahoo.com 
checkfilesherea .com - Email: sanbeans6@yahoo.com 
scanfilesherea .com - Email: sanbeans6@yahoo.com 
findprotectiona .com - Email: admin@wyverny.com 
checkfilesnowa .com - Email: sanbeans6@yahoo.com 
web-scanm .com - Email: essi@calinsella.eu 
today-scann .com - Email: essi@calinsella.eu 



4eay-protection .com - Email: millercall413@yahoo.com 

The client-side exploit redirection takes place through three 
separate domains, all involved in previous Zeus 

crimeware campaigns, parked on the same IP in a 
cybercrime-friendly ASN. For instance, 

el3x.cn/testl3/index.php 

- [17]210.51.166.119 - Email: Exmanoize@qip.ru redirects 

to el3x.cn/testl3/x.x -> el3x.cn/testl3/pdf.php -> 
el3x.cn/testl3/load.php?spl=javad -> 
el3x.cn/testl3/soc.php using [18]VB5/Psyme.BM; 

[19 ]Exploit. Pi diet. EX; 

[20]Exploit. Win32.IMG-WMF etc. pushing [21]load.exe, 
which phones back to a well known "leftover" from Koobface 
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botnet's centralized infrastructure - xtsd20090815 
.com/adm/index.php. 

Now it gets even more interesting, with the Koobface gang 
clearly rubbing shoulders with authors of actual 

web malware exploitation kits, who diversify their 
cybercrime operations by participating in money mule 
recruitment scams, zeus crimeware serving campaigns, and 
scareware. 

Parked on [22]210.51.166.119 where the first iFrame is 
hosted, are also the following domains participating in 
related campaigns: 

amerOtestO .cn - Email: abusehostserver@gmail.com -> 
[23]money mule recruitment 


antivirusfreecO .cn - Email: abusehostserver@gmail.com - 
> [24]money mule recruitment 

arendanomer2 .cn - Email: Exmanoize@qip.ru 

domOcn .cn - Email: Exmanoize@qip.ru 

domlcn .cn - Email: Exmanoize@qip.ru 

dom2cn .cn - Email: Exmanoize@qip.ru 

domxO .cn - Email: Exmanoize@qip.ru 

domxl .cn - Email: Exmanoize@qip.ru 
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domx2 .cn - Email: Exmanoize@qip.ru 
doxO .cn - Email: Exmanoize@qip.ru 
doxl .cn - Email: Exmanoize@qip.ru 
dox2 .cn - Email: Exmanoize@qip.ru 
dox3 .cn - Email: Exmanoize@qip.ru 
edit2china .cn - Email: Exmanoize@qip.ru 
edit3china .cn - Email: Exmanoize@qip.ru 
ellx .cn - Email: Exmanoize@qip.ru 
el2x .cn - Email: Exmanoize@qip.ru 
el3x .cn - Email: Exmanoize@qip.ru 


gymOreplace .cn - Email: chen.poonl732646@yahoo.com 
-> [25]scareware domain registration 

herosimalyet .cn - Email: Exmanoize@qip.ru 

herosimalyetOOg .cn - Email: 
abusehostserver@gmail.com 

otherchina .cn - Email: Exmanoize@qip.ru 

parliament .tk - Email: royalddos@gmail.com 

privetl .cn - Email: Exmanoize@qip.ru 

privet2 .cn - Email: Exmanoize@qip.ru 

privet3 .cn - Email: Exmanoize@qip.ru 

sport-lab .cn - Email: abuseemaildhcp@gmail.com -> 
[26]money mule recruitment domain [27]registrations 
trafdomins .cn - Email: Exmanoize@qip.ru 

The second iFrame domain parked at [28]61.235.117.83 
redirects in the following way - kiano-180809 

.com/oko/help.html - 61.235.117.83 - Email: 
bigvillyxxx@gmail.com leads to kiano-180809 
.com/oko/dyna _soc.html -> kiano-180809 
.com/oko/tomato _guy _13.html -> kiano-180809 
.com/oko/update.vbe -> kiano-180809 .com/oko/dyna 
wm.wmf. 

The same exploitation structure is valid for the third iFrame 
domain -ttt20091124 .info/oko/help.html which is 
again, parked at 61.235.117.83 and was embedded at 
Koobface-infected hosts over the past 24 hours. 



What prompted this shift on behalf of the Koobface gang? 
Declining infection rates - I'm personally not see¬ 
ing a decline in the click-through rate, with over 500 clicks 
on a spamvertised Kooobface URL over a period of 24 

hours - or their obsession with traffic optimization? In terms 
of social engineering, the [29]periodic introduction of 829 

new templates proved highly successful for the gang, but 
the newly introduced outdated client-side exploits can in 
fact generate more noise than they originally anticipated, if 
they were to continue relying on [30]social engineering 
vectors only. 

One thing's certain - the Koobface gang is now on the 
offensive, and it would be interesting to see whether 

they'd introduce a new exploits set, or continue relying on 
the one offered by the web exploitation kit. 
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Summarizing Zero Day's Posts for November (2009- 
11-30 20:00) 

The following is a brief summary of all of my posts at 
ZDNet's [l]Zero Day for November. 

[2]You can also go through [3]previous summaries, as well 
as subscribe to my [4]personal RSS feed, [5]Zero 

Day's main feed, or follow all of [6]ZDNet's blogs on Twitter. 

Notable articles include: [7]Windows 7's default UAC 
bypassed by 8 out of 10 malware samples and [8]Man- 

in-the-middle attacks demoed on 4 smartphones. 

01. [9]iHacked: jailbroken iPhones compromised, $5 ransom 
demanded 

02. [10]Which antivirus is best at removing malware? 

03. [ll]Windows 7's default UAC bypassed by 8 out of 10 
malware samples 

04. [12]Source code for ikee iPhone worm in the wild 

05. [13]Commercial spying app for Android devices 
released 

06. [14]Man-in-the-middle attacks demoed on 4 
smartphones 

07. [15]Thousands of web sites compromised, redirect to 
scareware - the latest virtual smoking gun of [16]the 
Koobface gang 
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Pushdo Injecting Bogus Swine Flu Vaccine (2009-12- 
02 09:32) 

In the spirit of systematically introducing new themes in 
order to serve the ubiquitous crimeware releases, [l]the 
Pushdo botnet has now switched to a [2]State Vaccination 
H1N1 Program campaign, serving [3]vacc _profile.exe 
sample. 

Sample subject: State Vaccination Program-, 

Governmental registration program on the H1N1 
vaccination Sample message: " You have received this e- 
mail because of the launching of State Vaccination H1N1 
Program. You need to create your personal H1N1 (swine flu) 
Vaccination Profile on the cdc.gov website. The Vaccination 
is not obligatory, but every person that has reached the age 
of 18 has to have his personal Vaccination Profile on the 
cdc.gov site. This profile has to be created both for the 
vaccinated people and the not-vaccinated ones. This profile 
is used for the registering system of vaccinated and not- 
vaccinated people. Create your Personal H1N1 Vaccination 
Profile using the link. " 








Subdomain structure used: 

online.cdc.gov .lykasf.be 
online.cdc.gov .lykasm.be 
online.cdc.gov .lykasv.be 
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online.cdc.gov .lykasz.be 
online.cdc.gov .nyugewc.be 
online.cdc.gov .nyugewd.be 
online.cdc.gov .nyugewm.be 
online.cdc.gov .nyugewn.be 
online.cdc.gov .nyugewq.be 
online.cdc.gov .nyugewt.be 
online.cdc.gov .nyugeww.be 
online.cdc.gov .nyugewy.be 
online.cdc.gov .nyugewz.be 
online.cdc.gov .yhnbad.co.im 
online.cdc.gov .yhnbad.com.im 
online.cdc.gov .yhnbad.im 
online.cdc.gov .yhnbad.net.im 
online.cdc.gov .yhnbad.org.im 




online.cdc.gov .yhnbak.co.im 
online.cdc.gov .yhnbak.com.im 
online.cdc.gov .yhnbak.im 
online.cdc.gov .yhnbak.net.im 
online.cdc.gov .yhnbak.org.im 
online.cdc.gov .yhnbam.co.im 
online.cdc.gov .yhnbam.com.im 
online.cdc.gov .yhnbam.im 
online.cdc.gov .yhnbam.net.im 
online.cdc.gov .yhnbam.org.im 
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Actual domains involved: 

feccxz.co .uk; feccxz.me .uk; ficcxz.co .uk; gerfase 
.be; gerfasi .be; gerfaso .be; gerfasq .be; gerfasr .be; 
gerfast .be; gerfasu .be; gerfasw .be; gerfasx .be; 
gerfasy .be; hssaze .be; hssazg .be; hssazh .be; 
hssazi .be; hssazj.be; hssazl 

.be; hssazo .be; hssazp .be; hssazq .be; hssazr .be; 
hssazt .be; hssazu .be; hssazw .be; hssazy .be; 
kiooojl .be; kioooj2 .be; kioooj3 .be; kioooja .be; 
kiooojb .be; kiooojc .be; kiooojf .be; kiooojg .be; 
kiooojh .be; kiooojn .be; kiooojq .be; kiooojv .be; 
kiooojx .be; kiooojz .be; yhnbad.co .im; yhnbad.com 



.im; yhnbad .im; yhnbad.net .im; yhnbad.org .im; 
yhnbak.co .im; yhnbak .com.im; yhnbak .im; 
yhnbak.net .im; yhnbak.org .im; yhnbam.co .im; 
yhnbam.com .im; yhnbam .im; yhnbam.net .im; 
yhnbam.org .im; yurbzc.co .im; yurbzc.com .im; 
yurbzc .im; yurbzc.net .im; yurbzc.org .im; yurtzc .im; 
yuvtzc.co .im; yuvtzc.com .im; yuvtzc .im; yuvtzc.net 
.im DNS SERVERS OF NOTICE: 
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nsl.elkins-realty .org - Email: HR2000@gmail.com 
nsl.a-personalhire .com - Email: personalhire@mail.com 

nsl.iceagestrem .com 
nsl.poolandmonster .com 
nsl.autotanscorp .net 
nsl.shuzmen .com 

Upon execution, the sample phones back to 

193.104.41.75/kissme /rec.php and 193.104.41.75 
/ip.php, while attempting to download promed-net 
,com/css/[4]absderce2.exe and 193.104.41.75/ 
cbd/[5]75.bro, with the IP 

itself already [6]blacklisted by the Zeus Tracker, as well as 
related activity on the same netblock - [7]AS49934 

(VVPN-AS PE Voronov Evgen Sergiyovich). 

Related posts: 

[8]"Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 



[9]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 


[10]The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [HJDancho Danchev's 
blog. 
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6. https://zeustracker.abuse.ch/monitor. php? 
host=193.104.41.75 
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as=49934&filter=online 
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10. http://ddanchev.blo as pot.com/20Q9/Q7/multitaskin a- 
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Celebrity-Themed Scareware Campaign Abusing 
DocStoc and Scribd (2009-12-03 22:18) 

UPDATED: DocStoc has removed all the participating 
profiles and their documents. 

A currently ongoing scareware campaign is using celebrity- 
themed blackhat SEO tactics in order to hijack legit¬ 
imate traffic by abusing the popular DocStoc and Scribd 
document-sharing services. What's the single most 

interesting thing about this campaign anyway? It's fact that 
one of the domains parked on the same IP that the rest of 
the malware and exploit serving ones are - they naturally 
multitask and engage in drive-by attacks - newsoff .net 
has been registered with the same email 






















pvcprotect@gmail.com as the original gumblar .cn 
domain. 

Once the user clicks on the bogus video window embedded 
as an active document, which as matter of fact 

doesn't issue any warning that the user is leaving the site, a 
redirection takes place through shurus .net/in.cgi?3 -> 
b.corlock .net/main.html - 188.165.65.173 - Email: 
jessica357ass@gmail.com where the user is asked to 
download 

[ljload.exe. 
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Parked on [2]the same IP is the rest of the domains portfolio, 
which is also involved in separate drive-by campaigns: 
offnews .cn - Email: cuitiankai@googlemail.com 

newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, 
the original gumblar .cn has been registered with the 
same email 

curah .net - Email: jessica357ass@gmail.com 
corlock .net - Email: jessica357ass@gmail.com 
klirok .net - Email: jessica357ass@gmail.com 
murrr .net - Email: jessica357ass@gmail.com 
shurus .net - Email: jessica357ass@gmail.com 
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Sample Scribd activity per username: 

Iupanl3 -1,148 documents; 3,301 total reads 

jess357 - 877 documents; 15,202 total reads 

mumukan - 875 documents; 19,791 total reads 

cekalo - 874 documents; 2,926 total reads 

Sample Docstoc activity per username: 

valaman - Docs: 460; Views: 13224 

zalupa - Docs: 407; Views: 14397 

monilit - Docs: 871; Views: 5265 

babaka - Docs: 252; Views: 183 

namaska - Docs: 139; Views: 8 

rumaska - Docs: 829; Views: 172 

zuzya - Docs: 748; Views: 280 

malinal3 - Docs: 66; Views: 15377 

yoqeojegu - Docs: 9; Views: 3284 

ryjokoleqayebi - Docs: 10; Views: 326 

jopanl3 - Docs: 397; Views: 43876 

iculyodysocehi - Docs: 10; Views: 3721 

Iupanl3 - Docs: 414; Views: 29275 
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Upon execution it drops the Home Antivirus 2010 
scareware which features a "Spyware Alert!" security 
warning explaining the dangers of Worm.Win32.NetSky. The 
scareware ([3JSetupAdvancedVirusRemover.exe) is 
downloaded 

[4]from downloadavrl3 .com - 193.104.110.50 - Email: 
noxim@maidsf.ru. Parked on the same IP is a well known 
portfolio of scareware domains, first [5]observed in July and 
most recently [6]in September: 

10-open-davinci .com 

advanced-virusremover2009 .com - Email: giogr@ua.fm 

advancedvirus-remover2009 .com - Email: 
jopa@gmail.com 

advanced-virus-remover2009 .com - Email: 
masle@masle.kz - [7]seen in July, 2009 

advancedvirusremover-2009 .com - Email: 
eptit@eptit.us 

advanced-virusremover-2009 .com - Email: 
support@antivirus-xp-pro2009.com 

advancedvirus-remover-2009 .com - Email: ttl@ua.fm 

advanced-virus-remover-2009 .com - Email: ubiv@i.ua 

advancedvirusremover-2010 .com - Email: 
noxim@maidsf.ru 

advanced-virus-remover-2010 .com - Email: 
noxim@maidsf.ru 


anti-virus-xp-pro2009 .com - Email: 
chen.poonl732646@yahoo.com 

best-scan .biz - Email: noxim@maidsf.ru 

best-scan .com - Email: noxim@maidsf.ru 

best-scan-pc .biz - Email: noxim@maidsf.ru 

best-scanpc .com - Email: alex@mail.ge 
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best-scan-pc .com 
best-scanpc .net 
best-scan-pc .net 

coolcountl .com - Email: noxim@maidsf.ru 

coolcount2 .com - Email: noxim@maidsf.ru 

downloadavrlO .com - Email: noxim@maidsf.ru 

downloadavrll .com - Email: noxim@maidsf.ru 

downloadavrl2 .com - Email: noxim@maidsf.ru 

downloadavrl3 .com - Email: noxim@maidsf.ru 

downloadavr3 .com - Email: support@antivirus-xp- 
pro2009.com 

downloadavr4 .com - Email: ttl@ua.fm 
downloadavr5 .com - Email: vs@ua.km 


downloadavr6 .com - Email: alex@i.ua 
downloadavr7 .com - Email: noxim@maidsf.ru 
downloadavr8 .com - Email: noxim@maidsf.ru 
downloadavr9 .com - Email: noxim@maidsf.ru 

hard-xxx-tube .com 

malware-scan .net - Email: noxim@maidsf.ru 

malware-scaner .net - Email: noxim@maidsf.ru 

masterhost.co .in - Email: pricklyy@mail.ru 

onlinescanxppro .com - Email: 
chen.poonl732646@yahoo.com 

pc-scanner .info - Email: noxim@maidsf.ru 

pc-scanner-2010 .net - Email: noxim@maidsf.ru 

pc-scannerr .biz - Email: noxim@maidsf.ru 

pc-scannerr .com - Email: noxim@maidsf.ru 

pc-scannerr .info - Email: noxim@maidsf.ru 

pc-scannerr .net - Email: noxim@maidsf.ru 

pc-scannerr .us - Email: noxim@maidsf.ru 
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testavrdown .com - Email: support@antivirus-xp- 
pro2009.com 

testavrdownnew .com - Email: mamed@i.ua 



trucount3005 .com - Email: 
chen.poonl732646@yahoo.com - [8]money-mule 
recruitment connection 

trucountme .com - Email: valentin@gergiea.kz - 

[9] already profiled 

white-xxx-tube .com - Email: noxim@maidsf.ru 
xxx-white-tube .biz - Email: noxim@maidsf.ru 
xxx-white-tube .net - Email: gnom@gnom.ge 
DocStoc and Scribd have been notified. 

Related posts: 

[10] The Ultimate Guide to Scareware Protection 

[11] Scareware Campaign Using Google Sponsored Links 

[12] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[13] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign 

[14] U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding 

[15] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 

[16] A Peek Inside the Managed Blackhat SEO Ecosystem 

[17] Dissecting a Swine Flu Black SEO Campaign 

[18] Massive Blackhat SEO Campaign Serving Scareware 



[19] From Ukrainian Blackhat SEO Gang With Love 

[20] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[22] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 
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14. http://ddanchev.blo as pot.com/2QQ9/Q8/us-federal- 
forms-blackhat-seo-themed.html 


15. http://ddanchev.blo as pot.com/20Q9/Q8/blackhat-seo- 
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18. http://ddanchev.blo as pot.com/2QQ9/Q4/massive- 
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20. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukrainian- 
blackhat-seo- a an a -with 09.html 

21. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukraine- 
with-scareware-servin a .html 

22. http://ddanchev.blo as pot.com/2QQ9/Q6/fake-web- 
hostin a- provider-front-end-to.html 

23. http://ddanchev.blo as pot.com/ 
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Keeping Reshipping Mule Recruiters on a Short 
Leash (2009-12-07 20:26) 

Following my previous "[l]Keeping Money Mule Recruiters 
on a Short Leash" and "[2]Standardizing the Money Mule 
Recruitment Process" posts, the campaigners behind the 
previously exposed money-mule recruitment domains 

looking for "[3] payment processing assistant', are now also 
looking for" mailing assistants" to reship the fraudulently 
purchased items using stolen financial data. 
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What happens once they standardize the practice? The 
network of reshipping mules ends up as as a [4]web-based 

command and control interface, allowing the customers of 
the mule recruitment syndicate to easily monitor the 

activity regarding their fraudulently purchased goods. In 
both of these models, the single most evident benefit for the 
cybercriminal remains the risk-forwarding of the entire 
process to the unknowingly participating in the cybercrime 
ecosystem employee. 



Some of the new and currently active reshipping mule 
recruitment brands include - Total River Goods, Fargo 

River Goods, Irish River Goods and Parcel Alliance. Here's 
how they describe themselves: 
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11 As an independent logistics provider, Total River Goods 
offers supply logistics management and transportation 
management services including: freight forwarding, 
packages forwarding, parcel forwarding, postal services and 
other postal services. Total River Goods is the world's active 
developer of retail shipping, business and postal online 
service centers. Since development begun in 2000 we 
listened to our clients and developed our services based on 
feedback we have received. Our service evolved through 
the years and at this moment of time looks and feels how 
our customers want. 

After many years of development and testing, in 2008 we 
released our online shipping service. With the new 

online service Total River Goods is true virtual mail service. 
We are constantly adding to our services ensuring that we 
will stay the market leader. Please feel free to contact us if 
you have any questions or comments. Unlike many other 
online organizations, we have a goal to reply to ail queries 
within 24 to 48 hours, including business days and 
weekends. " 

Domains involved: 

totalrivergoods .com - 94.103.90.130 - Email: justin 
_dickerson@ymail.com - used in [5]money-mule recruitment 


domain registration 


fargorivergoods .com - 94.103.90.130 - Email: 
williamashley40@yahoo.com 

parcelalliance .com - 94.103.90.200 - 
domainprivate@communigal.com 

irishrivergoods .com - 94.103.90.130 - Email: 
MarcusStraker909@gmail.com - [6]used in money-mule 
recruitment domain registration 

Thanks to Derek from [7]aa419.org for the ping. 

Related posts: 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 
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[11] Money Mules Syndicate Actively Recruiting Since 2002 

[12] lnside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as DOt.com/2009/ll/keeoin a -mone v- 
mule-recruiters-on-short.html 

2. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 










3. http://www.fbi. a ov/pressrel/pressrelQ9/ach_llQ3Q9.htm 


4. http://www.rsa.com/blo a /blo a _entrv.aspx7id = 1541 

5. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
monev-mule-recruitment.html 

6. http://ddanchev.blo as pot.com/2QQ9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 

7. http://www.aa419.or a/ 

8. http://ddanchev.blo as pot.com/2QQ9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 

9. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
monev-mule-recruitment.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

11. http://ddanchev.blo as pot.com/2QQ8/lQ/monev-mules- 
s vndicate-activelv.html 

12. http://ddanchev.blo as pot.com/2QQ9/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

13. http://ddanchev.blo as pot.com/ 
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Celebrity-Themed Scareware Campaign Abusing 
DocStoc (2009-12-07 22:17) 

UPDATE: Docstoc has removed all the participating 
accounts in this campaign, and is applying additional 













































filtering to undermine its effectiveness. 

Last week's M [l]Celebrity-Themed Scareware Campaign 
Abusing DocStoc and Scribd" is now exclusively targeting 
the popular Docstoc document-sharing service. Naturally, 
this very latest campaign once again offers overwhelming 
evidence on the inner workings of the cybercrime 
ecosystem, in this particular case, the connection between 
the Koobface gang and money mule recruitment campaigns. 
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So let's cut to the chase before we expose the entire 
campaign, and have all the involved profiles removed. One 
of the most popular bogus video site link embedded in these 
documents, wildyourvideo .com - 188.130.250.246 

- gevtone@gmail.com, is using NS1.FUCKABUSE .BIZ - 
abusehostserver@gmail.com - as its nameserver. The same 
email was also used to registered some of the [2]client-side 
exploit serving domains part of the Koobface drive-by 
download experiment, and is also known to [3]have been 
used in registering [4]money-mule recruitment [5]domains. 

Automatically registered Docstoc accounts involved: 

docstoc .com/profile/abefugymyul6261 
docstoc .com/profile/acihofabulobe4403 
docstoc .com/profile/adisareiecij23245 
docstoc .com/profile/apyauputyl0168 
docstoc .com/profile/aqoqulicumisahl6835 


docstoc .com/profile/aqypycapytu4493 
docstoc .com/profile/atirogesepuiohl0057 
docstoc .com/profile/atolageleraru 
docstoc .com/profile/ayluleasyte37 
docstoc .com/profile/bacuqelufukone 
docstoc .com/profile/bibiemymieal2218 
docstoc .com/profile/bonituhibol8350 
docstoc .com/profile/bypopopihebygukl5216 
docstoc .com/profile/byqaocopymyn 
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docstoc .com/profile/cubaaacanejof26562 
docstoc .com/profile/daaqajyceqehi21058 
docstoc .com/profile/deuymyhocapaqu2971 
docstoc .com/profile/dorusefykylam 
docstoc .com/profile/dyahucybofuk 
docstoc .com/profile/eaahuigu 
docstoc .com/profile/eduobecoyy23483 
docstoc .com/profile/efifyybiciga21903 
docstoc .com/profile/efodotoodyga7522 


docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 
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docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 

docstoc 


.com/profile/eheahakyydat 

.com/profile/ekysihyracihapi2534 

.com/profile/eqitulesarasimi 10237 

.com/profile/fukepeojened 16595 

.com/profile/fuosupoqeseta 

.com/profile/gicorukucyqa 

.com/profile/goibidukejeany 

.com/profile/gupapegesia 

.com/profile/gydohesypero 

.com/profile/holoadybyila 


.com/profile/hysygususedi 17619 

.com/profile/idejyetyoibi 

.com/profile/ierycyceda 

.com/profile/igikapuheac979 

.com/profile/imaemesaoker321 

.com/profile/imaqaybyqerol6774 

.com/profile/ineigysatu 

.com/profile/isajetedisucadop 


docstoc .com/profile/joqajerulehuyb 
docstoc .com/profile/loufahysimirotu 16153 
docstoc .com/profile/lunyikajek 
docstoc .com/profile/macugysie9926 
docstoc .com/profile/myrosejilur 
docstoc .com/profile/oboduqumufo 
docstoc .com/profile/ocetiiuq 
docstoc .com/profile/oijaobymegapob4072 
docstoc .com/profile/ojujutauguqel6712 
docstoc .com/profile/okytokydogu 
docstoc .com/profile/omipasudeol9398 
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docstoc .com/profile/onobytadiny7825 
docstoc .com/profile/pugihutoaqi8884 
docstoc .com/profile/pygylipuhisupel787 
docstoc .com/profile/pymuhaqyretok23088 
docstoc .com/profile/qouuebepy22520 
docstoc .com/profile/quqadekytel 
docstoc .com/profile/qynucehae!5146 


docstoc .com/profile/roonusohigi25266 
docstoc .com/profile/ryjisuuuha 
docstoc .com/profile/sujiloyhiimiq6675 
docstoc .com/profile/tumofeukirilida9561 
docstoc .com/profile/tydiidugaoga 
docstoc .com/profile/uacalobyj24600 
docstoc .com/profile/uaekihygua 
docstoc .com/profile/ugadofauuy17774 
docstoc .com/profile/ukylapytijun 
docstoc .com/profile/unobahamor27750 
docstoc .com/profile/upyeudufyye5432 
docstoc .com/profile/uykulylykil0195 
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docstoc .com/profile/yahypiger 
docstoc .com/profile/ybonyoeo 
docstoc .com/profile/ydajyqeylaqunl4519 
docstoc .com/profile/yhonalejuboha 
docstoc .com/profile/yjacilehybatage29784 
docstoc .com/profile/ynefyjopam 
docstoc .com/profile/yodulafiy8856 



docstoc .com/profile/ypybifaboaqy22695 
docstoc .com/profile/ysofaerabyqafi22465 
docstoc .com/profile/zalupa 

Sampled accounts are currently advertising some of the 
following domains - wildyourvideo .com - 
188.130.250.246 - 

gevtone@gmail.com - where the malware is obtained from 

technologyplayer .com/[6]xvidplayer.45206.exe which 
phones back to: 

central-arts-gallery .com - 216.240.146.126 - 
aproctor@who.net 

gold-ballade-art .com - 66.199.229.230 - 
madkins@outgun.com 

global-arts-area .com - 64.27.5.204 -tcrotts@safrica.com 

Related Docstoc accounts also link to two Blogspot accounts 

- carrie-prejean-sex-tapes .blogspot.com; carrie- 
prejean-sextape-video-free .blogspot.com advertising 
tv-world-online .net - 58.218.199.186 - 
breathy3@gmail.com with the malware obtained from 
freebigutilites .com/[7]install _ActiveX.45171.exe. 
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Parked on 58.218.199.186 are also related domains, with 
money-mule recruitment domain involvement: 

On-china .cn - Email: abusehostserver@gmail.com 


bigitube .com - Email: lastomarino@gmail.com 
free-video-portall .info - Email: kokishpoki@gmail.com 
free-video-portal4 .info - Email: kokishpoki@gmail.com 

greatmagice .com 

i-finally-found .cn - Email: 
Michell.Gregory2009@yahoo.com 

relevant-information .cn - Email: steven lucas 
_2000@yahoo.com 

search-results .cn - Email: hilarykneber@yahoo.com 

share-video-portall .info - Email: kokishpoki@gmail.com 

share-video-portal4 .info - Email: kokishpoki@gmail.com 

spainsn .com - Email: ijushdf@gmail.com 

usworkingspace .com - Email: ijushdf@gmail.com 

web-paradise .cn - Email: steven Jucas 
_2000@yahoo.com 
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wed-bew .cn - Email: Michell.Gregory2009@yahoo.com 

The domain location domain freebigutilites.com responds to 
69.10.41.147, parked on the same IP are the rest of the 
domains used in this and related campaigns: 

bbflashplugin .com - Email: davidg@representative.com 


bestflashplugins .com - Email: rcuthbertson@witty.com 

digitalmultimediasoftware .com - Email: 
cperry@wallet.com 

frashflashplugins .com - Email: rcuthbertson@witty.com 

freebigutilites .com - Email: sybarra@yours.com 

freemegautilites .com - Email: sybarra@yours.com 

globaltechsoftware .com - Email: cperry@wallet.com 

loadmoviesoft .com - Email: virgilm@disciples.com 

mediaarchive2009 .com - Email: mmerchant@priest.com 

mediadatastorage .net - Email: patrickf@loveable.com 

mediagroup2009 .com - Email: mmerchant@priest.com 

multimediafact .com - Email: patrickf@loveable.com 

multimediafiles .net - Email: mcastillo@mindless.com 

setmoviesoft .net - Email: virgilm@disciples.com 

soft-multimedia .com - Email: terryl@dbzmail.com 

superOmultimedia .com - Email: terryl@dbzmail.com 

technewdata .com - Email: mcastillo@mindless.com 

technologyplayer .com - Email: amcdaniel@witty.com 

thebbflashplugin .com - Email: 
davidg@representative.com 
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Docstoc has been notified of the involved usernames, and 
should take action against them quickly. Naturally, the 
attacks would continue due to the apparent [8]outsourcing 
of the CAPTCHA solving process. 

Related posts: 

[9] The Ultimate Guide to Scareware Protection 

[10] Celebrity-Themed Scareware Campaign Abusing 
DocStoc and Scribd 

[11] Scareware Campaign Using Google Sponsored Links 

[12] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[13] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign 

[14] U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding 

[15] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 

[16] A Peek Inside the Managed Blackhat SEO Ecosystem 

[17] Dissecting a Swine Flu Black SEO Campaign 

[18] Massive Blackhat SEO Campaign Serving Scareware 

[19] From Ukrainian Blackhat SEO Gang With Love 

[20] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 



[22]Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [23]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2QQ9/12/celebritv-themed- 
scareware-campai a n.html 

2. http://ddanchev.blo as pot.com/2QQ9/ll/koobface-botnet- 
starts-servin a -client.html 

3. http://www.bobbear.com/blue-chip-financial- 
corporation.html 

4. http://www.bobbear.co.uk/premier-buildin a -companv.html 

5. http://www.bobbear.co.uk/24-spanish-realfv.html 

6 . 

http://www.virustotal.com/analisis/7aaffl8b41bba2228c7ce 

a 93b448fbl5da9fba42187f48e86ff6b3587fd5b6ff-12602 

11913 

7. 

http://www.virustotal.com/analisis/14fQdQbclc3d28abdcef7 

43637a73c3c8c6e0f8c23c04c90c339f7fd67716fl9-126Q2 

11976 


8. http://blo a s.zdnet.com/securit v/? p = 1835 

9. http://blo a s.zdnet.com/securit v/? p=4297 



































10. http://ddanchev.blo as pot.com/20Q9/12/celebrit v- 
themed-scareware-campai a n.html 

11. http://ddanchev.blo as pot.com/20Q9/ll/scareware- 
campai a n-usin a-a oo a le.html 

12. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

13. http://ddanchev.blo as pot.com/2009/Q8/dissectin a- 
ona oin a -us-federal-forms.html 

14. http://ddanchev.blo as pot.com/2009/Q8/us-federal- 
forms-blackhat-seo-themed.html 


15. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
campai a n-hi acks-us.html 

16. http://ddanchev.blo as pot.com/20Q9/Q6/peek-inside- 
mana a ed-blackhat-seo.html 

17. http://ddanchev.blo as pot.com/2009/Q5/dissectin a- 
swine-f1u-black-seo-campai a n.html 

18. http://ddanchev.blo as pot.com/2009/Q4/massive- 
blackhat-seo-campai a n-servin a .html 

19. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with.html 

20. http://ddanchev.blo as pot.com/2009/Q6/from-ukrainian- 
blackhat-seo- a an a -with_09.html 

21. http://ddanchev.blo as pot.com/2009/Q6/from-ukraine- 
with-scareware-servin a .html 


22. http://ddanchev.blo as pot.com/2009/Q6/fake-web- 
hostin a- provider-front-end-to.html 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty Four (2009-12-21 22:58) 

Good traditions are not meant to be broken, in particular the 
"Diverse Portfolio of Fake Security Software" series. 

And with [l]scareware losses to customers already 
(conservatively) estimated at $150 million, combined with 
the overwhelming evidence of scareware becoming the 
monetization method of choice for the majority of 
cybercriminals gathered throughout the entire year - in 
2010 we'll see the peak of a fully matured business model 
that's offering one of the highest payout rates within the 
underground marketplace. 

How can this underground business model be undermined? 

By hitting the"beehive" rather than hitting the 

campaign of particular "bee", and by disrupting the 
monetization flow ultimately leaving the "beehive" with 
hundreds of thousands of "bees" actively infecting without 
the opportunity to collect the cash flaw, thereby putting 
them in a position where the "beehive" becomes unable to 
pay the commissions to the "bees" at the first place. 

Moreover, raising awareness on the most efficient and 
profitable monetization tactic used by cybecriminals in 

the face of scareware ([2]The Ultimate Guide to 
Scareware Protection), is crucial for filling in the gaps, 
since in its current form, scareware is driven exclusively by 




social engineering tactics and aggressive traffic hijacking 
campaigns. 

What's to come in 2010 anyway? It's the culmination 
of an year and half research. Stay tuned folks! 
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The following scareware domains have been recently 
observed in active campaigns online: 

78.46.254.18[3]/96.9.180.102 - AS24940 -HETZNER-AS 
Hetzner Online AG RZ/AS21788 BurstNet Technologies, 

Inc. 

3-scanner .com 
5-scanner .com 
9-scanner .com 
aa-scan .com 
antispy-microsoftO .cn 
antispy-microsoft2 .cn 
aspywarescan .com 
av-scannerr .com 
av-scannerw .com 
av-scannerx .com 


av-scannery .com 


av-scannerz .com 


bb-scan .com 
bspywarescan .com 
cspywarescan .com 
fspywarescan .com 
internetdefencei .com 
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ispywarescan .com 
malware-destroyOl .com 
malware-destroy03 .com 
malware-destroy09.com 
malwarescannere. com 
malwarescannerq .com 
malwarescannerr .com 
malwarescannert .com 
malwarescannerw .com 
pc-securityv .com 
pc-securityv2 .com 
pc-securityv4 .com 


removespywared .com 
removespywarek .com 
re move spyware I .com 
removespywarem .com 
removespywaren .com 
securitybugfixv9 .com 
spyware-removeO .com 
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spyware-remove9 .com 
spyware-removeb .com 
spyware-removee .com 
spyware-removen .com 
titan-antivirus .com 
titan-antivirusv .com 
titan-antivirusy .com 
titan-antivirusz .com 
titan-scanner .com 
trustedmicrosoftscanO .com 
trustedmicrosoftscan8 .com 
ultimatepcscanb .com 



ultimatepcscano .com 
ultimatepcscanp .com 
ultimatepcscanr .com 
windows-antivirusO .com 
windows-antivirusll .com 
windows-antivirus2 .com 
windows-antivirus4 .com 
windows-antivirus8 .com 
win-pro-update .cn 

The scareware domains portfolio profiled in the " 
[4]Celebrity-Themed Scareware Campaign Abusing DocStoc 

and Scribd" post parked at 193.104.110.50, has many new 
typosquatted additions to it: 
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193.104.110.50 - AS50073/SOFTNET Software Service 
Prague s.r.o. 

10-open-davinci .com 
advanced-virusremover2009 .com 
advancedvirus-remover2009 .com 


advanced-virus-remover2009 .com 


advancedvirusremover-2009 .com 


advanced-virusremover-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virus-remover2010 .com 
advanced-virus-remover-2010 .com 
advanced-virus-remover2011 .com 
advanced-virus-remover-2011 .com 
avrdownnew6 .com 
avrdownnew8 .com 
avrdownnew9 .com 
bastaproject .com 
buy-internet-security2010 .com 
coolcountl .com 
coolcount2 .com 
coolprojectnew .com 
downloadavrlO .com 
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downloadavrll .com 


downloadavr!2 .com 


downloadavrl3 .com 


downloadavrl4 .com 
downloadavrl5 .com 
downloadavr20 .com 
downloadavr5 .com 
downloadavr6 .com 
downloadavr7 .com 
downloadavr8 .com 
downloadavr9 .com 
greatcrypt .com 
megacryptnew .com 
pc-scanner2010 .biz 
pc-scanner-2010 .biz 
pcscanner2010 .com 
pc-scanner2010 .com 
pcscanner-2010 .com 
pc-scanner-2010 .com 
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pc-scanner2010 .net 
pc-scanner2010 .org 



pc-scanner-2010 .org 
pc-scanner-2011 .biz 
pc-scanner-2011 .org 
pc-scanner-2012 .com 
pc-scanner-2012 .net 
pc-scanner-2012 .org 
testavrdown .com 
vscodec-pro .net 
vsproject .net 
white-xxx-tube .com 
white-xxxx-tube .com 
xxx-white-tube .net 

The Koobface gang has not only migrated the domains the 
weren't suspended from the previous N [5]Koobface 

Botnet's Scareware Business Model - Part Two" post, but has 
also introduced new ones on the new IPs: 
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193.169.235.5/93.174.95.191 - AS32181/ASN-CQ- 
GIGENET ColoQuest/GigeNet ASN 

goboldscan .com - Email: gleyersth@gmail.com 


godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godotscan .com - Email: gleyersth@gmail.com 
gopullscan .com - Email: stgeyman@gmail.com 
gorootscan .com - Email: stgeyman@gmail.com 
goscanbold .com - Email: gleyersth@gmail.com 
goscandot .com - Email: gleyersth@gmail.com 
goscanhand .com - Email: quetotator@gmail.com 
goscanmend .com - Email: gleyersth@gmail.com 
goscanmoth .com - Email: gleyersth@gmail.com 
goscanpull .com - Email: stgeyman@gmail.com 
goscanref .com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
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goscanroom .com - Email: gleyersth@gmail.com 

goscanroot .com - Email: stgeyman@gmail.com 

goscantype .com - Email: stgeyman@gmail.com 

Some of these are actively redirecting to another recently 
updated .cn portfolio, once again maintained by the 


Koobface gang, parked at 193 . 169 . 235.6 - AS32181 - ASN- 
CQ-GIGENET ColoQuest/GigeNet ASN: 

193 . 169 . 235.6 - AS32181 - ASN-CQ-GIGENET 
ColoQuest/GigeNet ASN 

diwehym .cn - Email: spscript@hotmail.com 

dizymhe .cn - Email: spscript@hotmail.com 

docigpe .cn - Email: spscript@hotmail.com 

dofawi .cn - Email: spscript@hotmail.com 

domreha .cn - Email: spscript@hotmail.com 

donlaci .cn - Email: spscript@hotmail.com 

donqaw .cn - Email: spscript@hotmail.com 

dopelsi .cn - Email: spscript@hotmail.com 

doquza .cn - Email: spscript@hotmail.com 
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doqypku .cn - Email: spscript@hotmail.com 
egikap .cn - Email: spscript@hotmail.com 
enegoys .cn - Email: spscript@hotmail.com 
eneybis .cn - Email: spscript@hotmail.com 
enoihup .cn - Email: spscript@hotmail.com 
enygoji .cn - Email: spscript@hotmail.com 
enyuwip .cn - Email: spscript@hotmail.com 



epafij .cn - Email: spscript@hotmail.com 
epaumow .cn - Email: spscript@hotmail.com 
epiadyl .cn - Email: spscript@hotmail.com 
epiecgy .cn - Email: spscript@hotmail.com 
g-antivirus .com - Email: mhbilate@gmail.com 
iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
iav-pro .com - Email: mcgettel@gmail.com 
in4iv .com - Email: momaust@gmail.com 
inb6ct .com - Email: jobumb@gmail.com 
inb6ik .com - Email: jobumb@gmail.com 
jyqhoki .cn - Email: spscript@hotmail.com 
jyseny .cn - Email: spscript@hotmail.com 
jywmer .cn - Email: spscript@hotmail.com 
jyzixme .cn - Email: spscript@hotmail.com 
jyzuju .cn - Email: spscript@hotmail.com 
kabivu .cn - Email: spscript@hotmail.com 
kacupyb .cn - Email: spscript@hotmail.com 
kajefu .cn - Email: spscript@hotmail.com 
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Another portfolio is parked at 193.169.13.200, our "dear 
friends" AS5577 - ROOT eSolutions: 

antivirusonlinegames .com - Email: 
saracbrown@dodgit.com 

antivirussoftblog .com - Email: 
sharonldixon@trashymail.com 

antyflutool .net - Email: joycerfriley@dodgit.com 

an-ty-virusnow .net - Email: carriedlawrence@gmail.com 

an-ty-virus-tool .com - Email: marydgallo@pookmail.com 

bigvirusscan .com - Email: marydgallo@pookmail.com 

freeantyvirusservice .com - Email: 
alejandrojmckinney@gmail.com 

mysecuritysoft .net - Email: 
mildredkbaker@mailinator.com 

nationalsecuritydirect .com - Email: 
loisjstillings@trashymail.com 

newantispywaresoft .com - Email: 
junejbrubaker@trashymail.com 

newantyvirus .net - Email: johneponder@gmail.com 

progressmovement .com - Email: 
christinegcarroll@trashymail.com 

readonlinestories .com - Email: 
lawrencemtimms@dodgit.com 


removevirusgadget .com - Email: 
benjaminmdickerson@gmail.com 
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scannetradio .com - Email: robertcle@dodgit.com 

securityonlinecopy .net - Email: 
saraldillard@trashymail.com 

securitysoftstore .com - Email: 
anthonybpierce@trashymail.com 

securitytoolsuser .com - Email: 
kyongabrantner@gmail.com 

securitytoolsuser .net - Email: 
jamessvaughn@dodgit.com 

securityutilityshop .net - Email: 
fletchererodriguez@gmail.com 

spacetrafficsafety .com - Email: 
bettycyeates@pookmail.com 

superprotectionact .com - Email: 
darnellbhouse@pookmail.com 

supersafetysolutions .com - Email: 
georgekhorn@pookmail.com 

thebillingaol .com - Email: justindsmith@trashymail.com 

theprogressclub .com - Email: 
jerrysfinlayson@pookmail.com 


theremovevirustool .com - Email: 
dalemharman@dodgit.com 

virusread .com - Email: robertcjones@pookmail.com 

yourfraudprotection .com - Email: 
michelledglover@dodgit.com 

yoursafetysearch .com - Email: 
michelledglover@dodgit.com 

193.104.153.245 - AS5577 - ROOT eSolutions 

antivirusonlinecasino .com - Email: 
alfonzomhopps@mailinator.com 

anti-virustoday .net - Email: 
elishaebeauregard@pookmail.com 

an-ty-flu-service .com - Email: 
edwinwmartinez@trashymail.com 
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bereadonline .com - Email: jeanvfriddle@trashymail.com 

bestantyspyware .net - Email: 
ralphyjackson@pookmail.com 

bodyscanllc .com - Email: ralphyjackson@pookmail.com 

contraspywaresoft .com - Email: 
josephinetmarenco@dodgit.com 

newantyvirustool .net - Email: 
josephinetmarenco@dodgit.com 



remove-virus-tool .com - Email: 
maryprobinson@pookma il.com 

scaninternetradio .com - Email: 
maryprobinson@pookmail.com 

securityonlinegames .net - Email: 
clementeanderson@pookmail.com 

89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network 

do-fastscannow .net - Email: gkook@checkjemail.nl 

do-speedscan .net - Email: gkook@checkjemail.nl 

do-speedscan-search .com - Email: 
gkook@checkjemail.nl 

iwillcheck-it .com - Email: gkook@checkjemail.nl 

systemscan-check .net - Email: gkook@checkjemail.nl 

zguarddata .com - Email: gkook@checkjemail.nl 

193.106.32.10 - TELECOMPO, spol. s r.o. 

antyspywaretoday .net - Email: 
willistbatiste@dodgit.com 

an-ty-virusblog .net - Email: brendapwhite@dodgit.com 

securitysoftshop .net - Email: 
milagrosrporter@pookmail.com 

theantispywaresoft .com - Email: danhjones@gmail.com 

88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG 
RZ 



antispyscanb4 .com 
onlinescanner70 .com 
onlinescanner80 .com 
pro-antivir03 .com 
scannerintheinternetO .com 
windowscanner21 .com 
windowscanner51 .com 
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88.198.160.57 - AS24940/HETZNER-AS Hetzner Online AG 
RZ 

a7bestdefence .com 
antispyscanb4 .com 
best-antivirus99 .com 
onlinescanner70 .com 
onlinescanner80 .com 
pro-antivir03 .com 
pro-antivirus99 .com 
scannerintheinternetO .com 
toplOdefenceb .com 


toplOdefencef .com 
windowscanner21 .com 
windowscanner51 .com 

Sample detection rate: [6JSetupAdvancedVirusRemover.exe; 
[7]lnstall.exe; [8]lnstall(l).exe 

Upon execution the samples phone back to: 

downloadavr20 . com/loads. php?code=OOON ULL 

downloadavr20 .com/dfghfghgfj.dll 

downloadavr20 .com/cgi-bin/download.pl? 
code=000N ULL 

testavrdown .com/cgi-bin/get.pl?l=OOONULL 
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Sample detection rate for the dropped files: 

[9]SetuplS2010.exe; [ 10]dfghfghgfj.dll 

Hitting them where it hurts most - [ll]the monetization 
flow - since [12]2007. Domain suspension is in progress, the 
ISPs have been notified as usual. 

Related posts: 

[13] The Ultimate Guide to Scareware Protection 

[14] A Diverse Portfolio of Fake Security Software - Part 
Twenty Three 

[15] A Diverse Portfolio of Fake Security Software - Part 
Twenty Two 



[16] A Diverse Portfolio of 
Twenty One 

[17] A Diverse Portfolio of 
Twenty 

[18] A Diverse Portfolio of 
Nineteen 

[19] A Diverse Portfolio of 
Eighteen 

[20] A Diverse Portfolio of 
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[30] A Diverse Portfolio of Fake Security Software - Part 
Seven 
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Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline (2009-12-22 10:49) 

Last week, Josh Kirkwood, Network Engineer at Blue Square 
Data Group Services Limited, with whom I've been 








































keeping in touch regarding the blackhat SEO activity 
courtesy of the Koobface gang, and actual [l]Koobface 
botnet activity that's been taking place there for months, 
pinged me with an interesting email -" Riccom are now 
gone" 

([2]AS29550). He also pinged the folks at [3]hpHosts in 
response to their posts once again emphasizing on [4]the 
malicious activity taking place there. 

Since I've been analyzing Riccom LTD activity in the context 
of "in-the-wild" blackhat SEO campaigns launched by the 
Koobface gang, followed by establishing direct Koobace 
botnet connections, as well as sharing data with Josh, 
Riccom LTD clearly deserves a brief retrospective of the 
malicious activity that took place there. 

Malicious activity I've been analyzing since August, 2009: 

• August 06 - scareware parked at 91.212.107.5 analyzed 
in M [5]Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware" 

• August 10 - more scareware introduced at 91.212.107.5 
analyzed in "[6]U.S Federal Forms Blackhat SEO Themed 
Scareware Campaign Expanding" 
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• August 18 - scareware domains continue getting 
introduced at 91.212.107.5, analyzed in "[7]Dissecting the 
Ongoing U.S Federal Forms Themed Blackhat SEO 
Campaign" 

• August 19 - Actual [8]Koobface command and control 
server parked within BlueConnex's ASN, they take action 



against 85.234.141.92 -" Three hours after notification, 
Blue Square Data Group Services Limited ensures that 

"the customer has been disconnected permanently". It's a 
fact. All of Koobface worm's campaigns currently redirect to 
nowhere. " 

• September 14 - the [9]malvertising attack at the web 
site of the New York Times, not only used a redirector that 
was simultaneously pushed by Koobface-infected host 
hosted on an [10]IP known to be managed by the 

gang's blackhat SEO team ,but also, the actual scareware 
domain used relied on Riccom LTD hosting again at 

91.212.107.103 

• September 16 - 91.212.107.103 remains the [ll]most 
widely abused IP hosting scareware served by the Koobface 
botnet. Action is taken again the entire .info tld domain 
portfolio, the domains are suspended within a 48 

hours period of time courtesy of AFILIAS. 

• November 11 - cat and mouse game between the 
company, me, and the Koobface gang is taking place, 

now that a connection between the Koobface gang and the 
Bahama botnet has been clearly established. 

[12]New scareware domains are introduced at 
91.212.107.103, as well as at the still active [13]AS44042 

ROOT eSolutions. The Koobface [14]gang once again proves 
it "knows my name" by typosquatting domains 



and registering them with typosquatted variants of my 
name ( pancho-2807 .com is registered to Pancho 

Panchev, pancho.panchev@gmaii.com, followed by 
rdr20090924 .info registered to Vane ho Vanchev, van- 

chovanchev@maii.ru). Upon notification 91.212.107.103 
has been taken offline courtesy of Blue Square Data Group 
Services Limited. 

• November 17 - A week later the gang [15]resumes 
operations at the same Riccom LTD IP - 11 Tuesday, November 
17, 2009: Koobface is resuming scareware (Inst_312s2.exe) 
operations at 91.212.107.103 which was taken 

offline for a short period of time. ISP has been notified 
again". 

Clearly, in terms of cybercrime, especially one that's 
monetizing an asset with high liquidity such as scareware, 

"better late than never" doesn't seem to sound very 
appropriate. 

Image courtesy of TrendMicro's [16]The Heart of Koobface - 
C &C and Social Network Propagation report. 

Related Koobface research published in 2009: 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model - Part One 



[21] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a TrendMicro Report 

[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 

[28] Dissecting Koobface Worm's Twitter Campaign 
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blog. 
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Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline (2009-12-22 10:49) 

Last week, Josh Kirkwood, Network Engineer at Blue Square 
Data Group Services Limited, with whom I've been 

keeping in touch regarding the blackhat SEO activity 
courtesy of the Koobface gang, and actual [lJKoobface 
botnet activity that's been taking place there for months, 
pinged me with an interesting email - 11 Riccom are now 
gone " 

([2JAS29550). He also pinged the folks at [3]hpHosts in 
response to their posts once again emphasizing on [4]the 
malicious activity taking place there. 

Since I've been analyzing Riccom LTD activity in the context 
of "in-the-wild" blackhat SEO campaigns launched by the 
Koobface gang, followed by establishing direct Koobace 
botnet connections, as well as sharing data with Josh, 
Riccom LTD clearly deserves a brief retrospective of the 
malicious activity that took place there. 

Malicious activity I've been analyzing since August, 2009: 

• August 06 - scareware parked at 91.212.107.5 analyzed 
in M [5]Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware" 

• August 10 - more scareware introduced at 91.212.107.5 
analyzed in "[6JU.S Federal Forms Blackhat SEO Themed 
Scareware Campaign Expanding" 

• August 18 - scareware domains continue getting 
introduced at 91.212.107.5, analyzed in "[7]Dissecting the 
Ongoing U.S Federal Forms Themed Blackhat SEO 
Campaign" 
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• August 19 - Actual [8]Koobface command and control 
server parked within BlueConnex's ASN, they take action 
against 85.234.141.92 -" Three hours after notification, 
Blue Square Data Group Services Limited ensures that 

"the customer has been disconnected permanently". It's a 
fact. All of Koobface worm's campaigns currently redirect to 
nowhere. " 

• September 14 - the [9]malvertising attack at the web 
site of the New York Times, not only used a redirector that 
was simultaneously pushed by Koobface-infected host 
hosted on an [10]IP known to be managed by the 

gang's blackhat SEO team ,but also, the actual scareware 
domain used relied on Riccom LTD hosting again at 

91.212.107.103 

• September 16 - 91.212.107.103 remains the [ll]most 
widely abused IP hosting scareware served by the Koobface 
botnet. Action is taken again the entire .info tld domain 
portfolio, the domains are suspended within a 48 

hours period of time courtesy of AFILIAS. 

• November 11 - cat and mouse game between the 
company, me, and the Koobface gang is taking place, 

now that a connection between the Koobface gang and the 
Bahama botnet has been clearly established. 

[12]New scareware domains are introduced at 
91.212.107.103, as well as at the still active [13]AS44042 



ROOT eSolutions. The Koobface [14]gang once again proves 
it "knows my name" by typosquatting domains 

and registering them with typosquatted variants of my 
name ( pancho-2807 .com is registered to Pancho 

Panchev, pancho.panchev@gmail.com, followed by 
rdr20090924 .info registered to Vane ho Vanchev, van- 

chovanchev@mail.ru). Upon notification 91.212.107.103 
has been taken offline courtesy of Blue Square Data Group 
Services Limited. 

• November 17 - A week later the gang [15]resumes 
operations at the same Riccom LTD IP -" Tuesday, November 
17, 2009: Koobface is resuming scareware (Inst _312s2.exe) 
operations at 91.212.107.103 which was taken 

offline for a short period of time. ISP has been notified 
again". 

Clearly, in terms of cybercrime, especially one that's 
monetizing an asset with high liquidity such as scareware, 

"better late than never" doesn't seem to sound very 
appropriate. 

Image courtesy of TrendMicro's [16]The Heart of Koobface - 
C &C and Social Network Propagation report. 

Related Koobface research published in 2009: 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 



[20] Koobface Botnet's Scareware Business Model - Part One 

[21] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a TrendMicro Report 

[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 

[28] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [29]Dancho Danchev's 
blog. 

1. http://twitter.com/danchodanchev/status/6549021186 

2. http://www.ris.ripe.net/c a i-bin/l a /index.c ai? 
rrc=RRC001&auerv=l&ar a = 91.212.107.0%2F24+ 

3. 

http://hphosts.blo as pot.com/2QQ9/12/blueconnexeuroconne 

x-as29550-riccom-ltd.html 

4. 

http://hphosts.blo as pot.com/2QQ9/12/euroconnexblueconne 

x-boots-riccom-ltd.html 
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5. http://ddanchev.blo as DOt.com/2QQ9/08/blackhat-seo- 
campai a n-hi i acks-us.html 

6. http://ddanchev.blo as pot.com/20Q9/Q8/us-federal-forms- 
blackhat-seo-themed.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q8/dissectin a- 
ona oi n a -us-feder3l-forms.html 

8. http://ddanchev.blo as pot.com/2QQ9/Q8/movement-on- 
koobface-front-part-two.html 

9. http://ddanchev.blo as pot.com/20Q9/Q9/ukrainian-fan- 
club-features.html 


10. http://ddanchev.blo as pot.com/2QQ9/Q8/dissectin a- 
ona oin a -us-federal-forms.html 

11. http://ddanchev.blo as pot.com/2QQ9/Q9/koobface- 
botnets-scareware-business.html 


12. http://ddanchev.blo as pot.com/2QQ9/ll/koobface- 
botnets-scareware-business.html 


13. http://ddanchev.blo as pot.com/2QQ9/Q8/us-federal- 
forms-blackhat-seo-themed.html 


14. http://ddanchev.blo as pot.com/2QQ9/lQ/koobface- 
botnet-dissected-in-trendmicro.html 


15. http://ddanchev.blo as pot.com/2QQ9/ll/koobface- 
b otn ets-sca rewa re- lb u s \ n ess.html 

16. 

http://us.trendmicro.com/imperia/md/content/us/trendwatch 

/researchandanalvsis/the_20heart_20of_20koobface 


final_l_.pdf 













































17. http://ddanchev.blo as DOt.com/2QQ9/ll/koobface- 
botnet-starts-servm a -client.html 


18. http://ddanchev.blo as pot.com/2QQ9/ll/massive- 
scareware-servin a -blackhat-seo.html 

19. http://ddanchev.blo as pot.com/2QQ9/ll/koobface- 
botnets-scareware-business.html 


20. http://ddanchev.blo as pot.com/2QQ9/Q9/koobface- 
botnets-scareware-business.html 


21. http://ddanchev.blo as pot.com/20Q9/lQ/koobface- 
botnet-redirects-facebooks-ip.html 

22. http://blo a s.zdnet.com/securit v/? p=4594 

23. http://content.zdnet.com/2346-12691 22-352597.html 

24. http://ddanchev.blo as pot.com/2QQ9/10/koobface- 
botnet-dissected-in-trendmicro.html 


25. http://ddanchev.blo as pot.com/20Q9/Q8/movement-on- 
koobface-front-part-two.html 

26. http://ddanchev.blo as pot.com/20Q9/Q8/movement-on- 
koobface-front.html 


27. http://ddanchev.blo as pot.com/2QQ9/Q7/koobface-come- 
Qut-come-Qut-wherever-vou.html 

28. http://ddanchev.blo as pot.com/2QQ9/Q7/dissectin a- 
koobface-worms-twitter.html 


29. http://ddanchev.blo as pot.com/ 
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The Koobface Gang Wishes the Industry "Happy 
Holidays" (2009-12-26 23:25) 

Oops, they did it again - the Koobface gang, which is now 
officially self-describing itself as AN Baba and the 40 Thieves 
LLC, has not only included a Koobface-themed - notice the 
worm in the name - background on Koobface-infected 

hosts, but it has also included a "Wish Koobface Happy 
Holidays" script - last time I checked there were 10,000 

people who clicked it - followed by the most extensive 
message ever left by the gang, which is amusingly 
attempting to legitimize the activities of the gang. 
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In short, the message with clear elements of PSYOPS, 
attempts to position the Koobface worm as a software, where 
the new features are requested by users, and that by 
continuing its development, the authors are actually 
improving Facebook's security systems. For the record, the 
Koobface botnet itself is only the tip of the iceberg 
for the malicious activities the group itself is 
involved in. Consider going through the related Koobface 
research posts featured at the bottom of the post, in order to 
grasp the importance of how widespread and high-profile 
the activities of this group are. The exact message, 
screenshot of which is attached reads: 

Our team, so often called "Koobface Gang", expresses high 
gratitude for the help in bug fixing, researches and 
documentation for our software to: 


• Kaspersky Lab for the name of Koobface and [1]25 
millionth malicious program award; 

• Dancho Danchev (http://ddanchev.biogspot.com) who 
worked hard every day especially on our First Software 

& Architecture version, writing lots of e-mails to different 
hosting companies and structures to take down our 
Command-and-Control (C &C) servers, and of course 
analyzing software under VM Ware; 

• Trend Micro (http://trendmicro.com), especially personal 
thanks to Jonell Baltazar, Joey Costoya, and Ryan 

Flores who had released [2]a very cool document (with 
three parts!) describing ail our mistakes we've ever made; 

• Cisco for their 3rd place to our software in their annual 
[3]"working groups awards"; 

• Soren Siebert with [4]his great article; 

• Hundreds of users who send us logs, crash reports, and 
wish-lists. 

In fact, it was a really hard year. We've made many efforts 
to improve our software. Thanks to Face book's security 
team - the guys made us move ahead. And we've moved. 
And will move. Improving their security system. 

By the way, we did not have a cent using Twitter's traffic. 

But many security issues tell the world we did. 

They are wrong. As many people know, "virus" is something 
awful, which crashes computers, steals credential 



information as good as all passwords and credit cards. Our 
software did not ever steal credit card or online bank 882 

information, passwords or any other confidential data. And 
WILL NOT EVER. As for the crashes... We are really sorry. 

We work on it:) Wish you a good luck in new year and... 
Merry Christmas to you! 

Always yours, "Koobface Gang". 

For the record, in case you were living on the other side of 
the universe, and weren't interested in the raw details 
taking place within the underground ecosystem, in July, 
2009, I was [5]the only individual ever mentioned by 
the Koobface gang, which back then included [6]the 
following message within the [7]command and control 
infrastructure for 9 days: 

• 11 We express our high gratitude to Dancho Danchev 
(http://ddanchev.biogspot.com) for the help in bug 
fixing, 

researches and documentation for our software. " 

Next to [8]the folks at TrendMicro, the DHS also featured the 
event in [9]DHS Daily Open Source Infrastructure Report for 
3 September 2009 at page 18: 

• " This individual is an independent security consultant 
who plays an active role in tracking and shutting down 
botnets and other illegal operations. " 

It got ever more personal when [10]the Koobface gang 
redirected Facebook's entire IP space to my blog in 
October, 2009, resulting in [ll]thousands of Facebook 
visits every time [ 12]their crawlers were visiting a 



[13]Koobface-infected host. Thankfully, Facebook's Security 
Incident Response Team quickly took care of the issue. 

In the spirit of Christmas, I'd also like to wish the Koobface 
gang happy holidays, and promise them that the 

cherry on the top of the research pie will see daylight 
anytime soon. First of all, I'd like to wish them happy 
holidays with [14]Frank Sinatra - "I've got you under 
my skin" . They'll get the point. 

[EMBED] 

And now comes my Christmas present, systematic take¬ 
down, blacklisting, and domain suspension of Koob¬ 
face scareware operations. 
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Sample detection rates by Koobface binaries - [15]go.exe; 
[16]fb.79.exe; [17]fblanding.exe; [18]v2captcha.exe; 

[19]v2webserver.exe; [20]pack _312s3.exe (the scareware). 
The currently active artificial2010 .com/?pid=312s02 

&sid=4dbl2f - Email: Josefinat@yahoo.com - 
193.104.22.200 - [21]AS34305; EUROACCESS Global 
Autonomous System acts as a redirector to the scareware 
domain portfolio. 

Currently 

active 

portfolio 


of 


scareware 

domains 

pushed 

by 

the 

Koobface 

botnet, 

parked 

at 

193.104.22.200/91.212.226.95: 

2010scanneral .com - Email: 
NathanHSchafer@yahoo.com 

artificial2010 .com - Email: Josefinat@yahoo.com 

bestdiscounts2010 .com - Email: 
FrancesHAustin@yahoo.com 

bestparty2009 .com - Email: FrancesHAustin@yahoo.com 

bestparty2010 .com - Email: FrancesHAustin@yahoo.com 

bestpffers2010 .com - Email: FrancesHAustin@yahoo.com 

best-wishes-design .com - Email: 
FrancesHAustin@yahoo.com 



bestyearparty .com - Email: FrancesHAustin@yahoo.com 


celebrate2009year .com - Email: 
FrancesHAustin@yahoo.com 

celebrate-designs .com - Email: 
FrancesHAustin@yahoo.com 

happy-newyear2010 .com - Email: 
JerryHWallace@yahoo.com 

internetproscanm .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscanq .com - Email: 
JacquelynMRyan@yahoo.com 
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internetproscanr .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscanw .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscany .com - Email: 
JacquelynMRyan@yahoo.com 

megascannera .com - Email: 
MichaelDFranklin@yahoo.com 

megasecurityl .com - Email: 
MichaelDFranklin@yahoo.com 

megasecurityp .com - Email: 
MichaelDFranklin@yahoo.com 



megasecurityq .com - Email: 
MichaelDFranklin@yahoo.com 

newholidaydesigns .com - Email: 
FrancesHAustin@yahoo.com 

newyearandsanta .com - Email: 
JerryHWallace@yahoo.com 

newyeardesgings .com - Email: 
FrancesHAustin@yahoo.com 

onlinesecuritynl .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com 

online-securtiyvl .com - Email: LucyGBrown@yahoo.com 

online-securtiyv4 .com - Email: LucyGBrown@yahoo.com 

online-securtiyv5 .com - Email: LucyGBrown@yahoo.com 

onlineviruskillaO .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla2 .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla4 .com - Email: 
JacquelynMRyan@yahoo.com 



onlineviruskilla6 .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla8 .com - Email: 
JacquelynMRyan@yahoo.com 

santa-christmas2010 .com - Email: 
JerryHWallace@yahoo.com 

snowandchristmas .com - Email: 
JerryHWallace@yahoo.com 

thebestantispys .com - Email: ThomasLRoy@yahoo.com 
Christmas-themed scareware serving domains: 

happy-newyear2010 .com 
celebrate2009year .com 
newyearandsanta .com 
newyeardesgings .com 
santa-christmas2010 .com 
snowandchristmas .com 
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Speaking of AS34305; EUROACCESS Global Autonomous 
System, they're also hosting scareware campaigns at 
another 

IP - 193.104.22.50 in particular: 

pcprotect2010 .com - Email: admin@pcprotect2010.com 


bestantispysoft2010 .com - Email: 
admin@bestantispysoft2010.com 

worldantispywarel .com - Email: 
admin@worldantispywarel.com 

antispyware24x7 .com - Email: 
admin@antispyware24x7.com 

spydetector2009 .com - Email: 
admin@spydetector2009.com 

myprivatesoft2009 .com - Email: 
admin@myprivatesoft2009.com 

itsafetyonline .com - Email: admin@itsafetyonline.com 

antispycenterprof .com - Email: 
admin@antispycenterprof.com 

webspydetectunlim .com - Email: 
admin@webspydetectunlim.com 

pcsafetyplatinum .com - Email: 
admin@webspydetectunlim.com 

spywaredetect24pro .com - Email: 
admin@spywaredetect24pro.com 

eliminater2009pro .com - Email: 
admin@eliminater2009pro.com 

pcsafety2009pro .com - Email: 
admin@pcsafety2009pro.com 
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securityztop .com - Email: admin@securityztop.com 



antisspywarescenter .com - Email: 
admin@antisspywarescenter.com 

viridentifycenter .com - Email: molda444vimo@safe- 
mail.net 

antispywarets .com - Email: admin@antispywarets.com 

winvantivirus .com - Email: admin@winvantivirus.com 

antispywaresnet .com - Email: 
admin@antispywaresnet.com 

securityprosoft .com - Email: admin@securityprosoft.com 

onlineantispysoft .com - Email: 
admin@onlineantispysoft.com 

worldsantispysoft .com - Email: 
admin@worldsantispysoft.com 

antispyworldwideint .com - Email: 
admin@antispyworldwideint.com 

ivirusidentify .com - Email: admin@ivirusidentify.com 

Within the same ASN, we can also find the following 
[22]Zeus crimeware serving domains, courtesy of the 

Zeus Tracker: 

print-design .cn - Email: alexsundren@gmail.com 

backup2009 .com - Email: tahli@yahoo.com - association 
with [23]money mule recruitment domain registration 
1211news .com - Email: tahli@yahoo.com 

tuttakto .com - Email: tahli@yahoo.com 



filatok .com - Email: tahli@yahoo.com 

wwwldr .com - Email: tahli@yahoo.com 

bbbboom .com - Email: tahli@yahoo.com 

fantlk .com - Email: tahli@yahoo.com 

hoooools .com - Email: tahli@yahoo.com 

ianndex .com - Email: tahli@yahoo.com 

vklom .com - Email: tahli@yahoo.com 

wwwbypost .com - Email: tahli@yahoo.com 

wwwudacha .com - Email: tahli@yahoo.com 

[24]Sampled scareware phones back to: 

ardeana-couture .com/?b=lsl - 204.12.252.99, parked 
there is also windowssp3download .com - Email: 
contact@subarutechs.com 

winrescueupdate .com/download/winlogo.bmp - 

89.248.162.147 

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel 
Network) used to host the following scareware do¬ 
mains: 

attention-scanner .com - Email: khouri@atomtech.cc 
be-secured2 .com - Email: info@scholarnyc.com 
best-scanner-f .com - Email: LouisALeavitt@yahoo.com 



get-secure2 .com - Email: info@scholarnyc.com 

installprotection2 .com - Email: info@scholarnyc.com 

online-defense7 .com - Email: 
contacts@manipadni.com.br 

scan-spyware2 .com - Email: info@paristours.fr 

topscan2 .com - Email: LouisALeavitt@yahoo.com 

topscan3 .com - Email: LouisALeavitt@yahoo.com 

virus-pcscan .com - Email: admin@rewards.de 

win-scan05 .com - Email: katia@salsat.eu 

win-scan07 .com - Email: katia@salsat.eu 

win-scan09 .com - Email: katia@salsat.eu 

winrescueupdate .com 

winscannerOl .com - Email: contacts@crunchiesb.com 
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winscannerl8 .com - Email: contacts@crunchiesb.com 
your-protection8 .com - Email: admin@Relocation.it 
Happy Holidays, too! 

Related Koobface research published in 2009: 

[25] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[26] Koobface Botnet Starts Serving Client-Side Exploits 



[27] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[28] Koobface Botnet's Scareware Business Model - Part Two 

[29] Koobface Botnet's Scareware Business Model - Part One 

[30] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[31] New Koobface campaign spoofs Adobe's Flash updater 

[32] Social engineering tactics of the Koobface botnet 

[33] Koobface Botnet Dissected in a TrendMicro Report 

[34] Movement on the Koobface Front - Part Two 

[35] Movement on the Koobface Front 

[36] Koobface - Come Out, Come Out, Wherever You Are 

[37] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [38]Dancho Danchev's 
blog. 
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The Koobface Gang Wishes the Industry "Happy 
Holidays" (2009-12-26 23:25) 



































Oops, they did it again - the Koobface gang, which is now 
officially self-describing itself as AN Baba and the 40 Thieves 
LLC, has not only included a Koobface-themed - notice the 
worm in the name - background on Koobface-infected 

hosts, but it has also included a "Wish Koobface Happy 
Holidays" script - last time I checked there were 10,000 

people who clicked it - followed by the most extensive 
message ever left by the gang, which is amusingly 
attempting to legitimize the activities of the gang. 
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In short, the message with clear elements of PSYOPS, 
attempts to position the Koobface worm as a software, where 
the new features are requested by users, and that by 
continuing its development, the authors are actually 
improving Facebook's security systems. For the record, the 
Koobface botnet itself is only the tip of the iceberg 
for the malicious activities the group itself is 
involved in. Consider going through the related Koobface 
research posts featured at the bottom of the post, in order to 
grasp the importance of how widespread and high-profile 
the activities of this group are. The exact message, 
screenshot of which is attached reads: 

Our team, so often called "Koobface Gang", expresses high 
gratitude for the help in bug fixing, researches and 
documentation for our software to: 

• Kaspersky Lab for the name of Koobface and [1]25 
millionth malicious program award; 


• Dancho Danchev (http://ddanchev.blogspot.com) who 
worked hard every day especially on our First Software 

& Architecture version, writing lots of e-mails to different 
hosting companies and structures to take down our 
Command-and-Controi (C &C) servers, and of course 
analyzing software under VM Ware; 

• Trend Micro (http://trendmicro.com), especially personal 
thanks to Jonell Baltazar, Joey Costoya, and Ryan 

Flores who had released [2]a very cool document (with 
three parts!) describing ail our mistakes we've ever made; 

• Cisco for their 3rd place to our software in their annual 
[3]"working groups awards"; 

• Soren Siebert with [4]his great article; 

• Hundreds of users who send us logs, crash reports, and 
wish-lists. 

In fact, it was a really hard year. We've made many efforts 
to improve our software. Thanks to Face book's security 
team - the guys made us move ahead. And we've moved. 
And will move. Improving their security system. 

By the way, we did not have a cent using Twitter's traffic. 

But many security issues tell the world we did. 

They are wrong. As many people know, "virus" is something 
awful, which crashes computers, steals credential 
information as good as all passwords and credit cards. Our 
software did not ever steal credit card or online bank 
information, passwords or any other confidential data. And 
WILL NOT EVER. As for the crashes... We are really sorry. 
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We work on it:) Wish you a good luck in new year and... 
Merry Christmas to you! 

Always yours, "Koobface Gang". 

For the record, in case you were living on the other side of 
the universe, and weren't interested in the raw details 
taking place within the underground ecosystem, in July, 
2009, I was [5]the only individual ever mentioned by 
the Koobface gang, which back then included [6]the 
following message within the [7]command and control 
infrastructure for 9 days: 

• " We express our high gratitude to Dancho Danchev 
(http://ddanchev.biogspot.com) for the help in bug 
fixing, 

researches and documentation for our software. " 

Next to [8]the folks at TrendMicro, the DHS also featured the 
event in [9]DHS Daily Open Source Infrastructure Report for 
3 September 2009 at page 18: 

• 11 This individual is an independent security consultant 
who plays an active role in tracking and shutting down 
botnets and other illegal operations. " 

It got ever more personal when [lOJthe Koobface gang 
redirected Facebook's entire IP space to my blog in 
October, 2009, resulting in [ll]thousands of Facebook 
visits every time [ 12]their crawlers were visiting a 
[13]Koobface-infected host. Thankfully, Facebook's Security 
Incident Response Team quickly took care of the issue. 



In the spirit of Christmas, I'd also like to wish the Koobface 
gang happy holidays, and promise them that the 

cherry on the top of the research pie will see daylight 
anytime soon. First of all, I'd like to wish them happy 
holidays with [14]Frank Sinatra - "I've got you under 
my skin" . They'll get the point. 

And now comes my Christmas present, systematic take¬ 
down, blacklisting, and domain suspension of Koob¬ 
face scareware operations. 
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Sample detection rates by Koobface binaries - [15]go.exe; 
[16]fb.79.exe; [17]fblanding.exe; [18Jv2captcha.exe; 

[19]v2webserver.exe; [20]pack _312s3.exe (the scareware). 
The currently active artificial2010 .com/?pid=312s02 

&sid=4dbl2f - Email: Josefinat@yahoo.com - 
193.104.22.200 - [21JAS34305; EUROACCESS Global 
Autonomous System acts as a redirector to the scareware 
domain portfolio. 

Currently 

active 

portfolio 

of 


scareware 


domains 


pushed 

by 

the 

Koobface 

botnet, 

parked 

at 

193.104.22.200/91.212.226.95: 

2010scanneral .com - Email: 
NathanHSchafer@yahoo.com 

artificial2010 .com - Email: Josefinat@yahoo.com 

bestdiscounts2010 .com - Email: 
FrancesHAustin@yahoo.com 

bestparty2009 .com - Email: FrancesHAustin@yahoo.com 

bestparty2010 .com - Email: FrancesHAustin@yahoo.com 

bestpffers2010 .com - Email: FrancesHAustin@yahoo.com 

best-wishes-design .com - Email: 
FrancesHAustin@yahoo.com 

bestyearparty .com - Email: FrancesHAustin@yahoo.com 



celebrate2009year .com - Email: 
FrancesHAustin@yahoo.com 

celebrate-designs .com - Email: 
FrancesHAustin@yahoo.com 

happy-newyear2010 .com - Email 
JerryHWallace@yahoo.com 

internetproscanm .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscanq .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscanr .com - Email: 
JacquelynMRyan@yahoo.com 
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internetproscanw .com - Email: 
JacquelynMRyan@yahoo.com 

internetproscany .com - Email: 
JacquelynMRyan@yahoo.com 

megascannera .com - Email: 
MichaelDFranklin@yahoo.com 

megasecurityl .com - Email: 
MichaelDFranklin@yahoo.com 

megasecurityp .com - Email: 
MichaelDFranklin@yahoo.com 

megasecurityq .com - Email: 
MichaelDFranklin@yahoo.com 



newholidaydesigns .com - Email: 
FrancesHAustin@yahoo.com 

newyearandsanta .com - Email: 
JerryHWallace@yahoo.com 

newyeardesgings .com - Email: 
FrancesHAustin@yahoo.com 

onlinesecuritynl .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com 

onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com 

online-securtiyvl .com - Email: LucyGBrown@yahoo.com 

online-securtiyv4 .com - Email: LucyGBrown@yahoo.com 

online-securtiyv5 .com - Email: LucyGBrown@yahoo.com 

onlineviruskillaO .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla2 .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla4 .com - Email: 
JacquelynMRyan@yahoo.com 

onlineviruskilla6 .com - Email: 
JacquelynMRyan@yahoo.com 



onlineviruskilla8 .com - Email: 
JacquelynMRyan@yahoo.com 

santa-christmas2010 .com - Email: 
JerryHWallace@yahoo.com 

snowandchristmas .com - Email: 
JerryHWallace@yahoo.com 

thebestantispys .com - Email: ThomasLRoy@yahoo.com 
Christmas-themed scareware serving domains: 

happy-newyear2010 .com 
celebrate2009year .com 
newyearandsanta .com 
newyeardesgings .com 
santa-christmas2010 .com 
snowandchristmas .com 
894 


£ 


Speaking of AS34305; EUROACCESS Global Autonomous 
System, they're also hosting scareware campaigns at 
another 

IP - 193.104.22.50 in particular: 

pcprotect2010 .com - Email: admin@pcprotect2010.com 

bestantispysoft2010 .com - Email: 
admin@bestantispysoft2010.com 


worldantispywarel .com - Email: 
admin@worldantispywarel.com 

antispyware24x7 .com - Email: 
admin@antispyware24x7.com 

spydetector2009 .com - Email: 
admin@spydetector2009.com 

myprivatesoft2009 .com - Email: 
admin@myprivatesoft2009.com 

itsafetyonline .com - Email: admin@itsafetyonline.com 

antispycenterprof .com - Email: 
admin@antispycenterprof.com 

webspydetectunlim .com - Email: 
admin@webspydetectunlim.com 

pcsafetyplatinum .com - Email: 
admin@webspydetectunlim.com 

spywaredetect24pro .com - Email: 
admin@spywaredetect24pro.com 

eliminater2009pro .com - Email: 
admin@eliminater2009pro.com 

pcsafety2009pro .com - Email: 
admin@pcsafety2009pro.com 
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securityztop .com - Email: admin@securityztop.com 

antisspywarescenter .com - Email: 
admin@antisspywarescenter.com 



viridentifycenter .com - Email: molda444vimo@safe- 
mail.net 

antispywarets .com - Email: admin@antispywarets.com 

winvantivirus .com - Email: admin@winvantivirus.com 

antispywaresnet .com - Email: 
admin@antispywaresnet.com 

securityprosoft .com - Email: admin@securityprosoft.com 

onlineantispysoft .com - Email: 
admin@onlineantispysoft.com 

worldsantispysoft .com - Email: 
admin@worldsantispysoft.com 

antispyworldwideint .com - Email: 
admin@antispyworldwideint.com 

ivirusidentify .com - Email: admin@ivirusidentify.com 

Within the same ASN, we can also find the following 
[22]Zeus crimeware serving domains, courtesy of the 

Zeus Tracker: 

print-design .cn - Email: alexsundren@gmail.com 

backup2009 .com - Email: tahli@yahoo.com - association 
with [23]money mule recruitment domain registration 
1211news .com - Email: tahli@yahoo.com 

tuttakto .com - Email: tahli@yahoo.com 

filatok .com - Email: tahli@yahoo.com 



wwwldr .com - Email: tahli@yahoo.com 

bbbboom .com - Email: tahli@yahoo.com 

fantlk .com - Email: tahli@yahoo.com 

hoooools .com - Email: tahli@yahoo.com 

ianndex .com - Email: tahli@yahoo.com 

vklom .com - Email: tahli@yahoo.com 

wwwbypost .com - Email: tahli@yahoo.com 

wwwudacha .com - Email: tahli@yahoo.com 

[24]Sampled scareware phones back to: 

ardeana-couture .com/?b=lsl - 204.12.252.99, parked 
there is also windowssp3download .com - Email: 
contact@subarutechs.com 

winrescueupdate .com/download/winlogo.bmp - 

89.248.162.147 

Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel 
Network) used to host the following scareware do¬ 
mains: 

attention-scanner .com - Email: khouri@atomtech.cc 
be-secured2 .com - Email: info@scholarnyc.com 
best-scanner-f .com - Email: LouisALeavitt@yahoo.com 
get-secure2 .com - Email: info@scholarnyc.com 



installprotection2 .com - Email: info@scholarnyc.com 

online-defense7 .com - Email: 
contacts@manipadni.com.br 

scan-spyware2 .com - Email: info@paristours.fr 

topscan2 .com - Email: LouisALeavitt@yahoo.com 

topscan3 .com - Email: LouisALeavitt@yahoo.com 

virus-pcscan .com - Email: admin@rewards.de 

win-scan05 .com - Email: katia@salsat.eu 

win-scan07 .com - Email: katia@salsat.eu 

win-scan09 .com - Email: katia@salsat.eu 

winrescueupdate .com 

winscannerOl .com - Email: contacts@crunchiesb.com 
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winscannerl8 .com - Email: contacts@crunchiesb.com 
your-protection8 .com - Email: admin@Relocation.it 
Happy Holidays, too! 

Related Koobface research published in 2009: 

[25] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[26] Koobface Botnet Starts Serving Client-Side Exploits 



[27] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[28] Koobface Botnet's Scareware Business Model - Part Two 

[29] Koobface Botnet's Scareware Business Model - Part One 

[30] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[31] New Koobface campaign spoofs Adobe's Flash updater 

[32] Social engineering tactics of the Koobface botnet 

[33] Koobface Botnet Dissected in a TrendMicro Report 

[34] Movement on the Koobface Front - Part Two 

[35] Movement on the Koobface Front 

[36] Koobface - Come Out, Come Out, Wherever You Are 

[37] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [38]Dancho Danchev's 
blog. 
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Summarizing Zero Day's Posts for December (2010- 
01-04 22:03) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for December, 2009. 

You can also go through [2]previous summaries, as well as 
subscribe to my [3]personal RSS feed, [4]Zero Day's 

main feed, or follow all of [5]ZDNet's blogs on Twitter. 

01. [6]Koobface botnet enters the Xmas season 

02. [7]How many people fall victim to phishing attacks? 

03. [8]Zeus crimeware using Amazon's EC2 as command 
and control server 

04. [9]Report: Google's reCAPTCHA flawed 

05. [ 10JFBI: Scareware distributors stole $150M 

This post has been reproduced from [HJDancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2QQ9/ll/summarizin a- 
zero-da vs- posts-for.html 








3. http://uDdates.zdnet.com/ta a s/dancho+danchev.html? 
t=0&s=Q&o=l&mode=rss 


4. http://feeds.feedburner.com/zdnet/securit v 

5. http://twitter.com/zdnetblo as 

6. http://blo a s.zdnet.com/securit v/? p = 5001 

7. http://blo a s.zdnet.com/securit v/? p = 5084 
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8. http://blo a s.zdnet.com/securit v/? p = 5110 

9. http://blo a s.zdnet.com/securit v/? p = 5123 

10. http://blo a s.zdnet.com/securit v/? p=5140 

11. http://ddanchev.blo as pot.com/ 
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Top Ten Must-Read Posts at ZDNet's Zero Day for 
2009 (2010-01-04 22:10) 

The end of the year naturally means a rush to come up with 
'best of the best' top lists consisting of your finest content. 
However, based on personal observations, during the 
holidays season the short attention span of the 

average reader becomes even shorter with everyone looking 
forward to taking a well-deserved break. Therefore, 

the first working week of the new year appears to be the 
perfect moment to summarize some of my most insightful 

























posts/analysis published at [l]ZDNet's Zero Day for 2009. 

The following ten posts have been featured due to their 
insightful content, comprehensiveness of the topic 

covered, and due to plain simple exclusivity in the time of 
their publishing. You will be, of course, missing the big 
picture if you don't keep track of [2]Ryan Naraine's 
coverage. 

Thank you for being a [3]Zero Day reader! 

01. [4]Microsoft study debunks phishing profitability 
02. [5]lnside BBC's Chimera botnet 

03. [6]China's 'secure' OS Kylin - a threat to U.S offsensive 
cyber capabilities? 

04. [7]Microsoft study debunks profitability of the 
underground economy 

05. [8]lranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites - [9]Related coverage 06. 
[10]The Ultimate Guide to Scareware Protection 
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07. [ll]'Anonymous' group attempts DDoS attack against 
Australian government (Operation Didgeridie) 08. 
[12]Google's CAPTCHA experiment and the human factor 

09. [13]Does software piracy lead to higher malware 
infection rates? 

10. [14]Koobface botnet enters the Xmas season 

Related posts: 



[15] Summarizing Zero Day's Posts for January, 2009 

[16] Summarizing Zero Day's Posts for February, 2009 

[17] Summarizing Zero Day's Posts for March, 2009 

[18] Summarizing Zero Day's Posts for April, 2009 

[19] Summarizing Zero Day's Posts for May, 2009 

[20] Summarizing Zero Day's Posts for June, 2009 

[21] Summarizing Zero Day's Posts for July, 2009 

[22] Summarizing Zero Day's Posts for August, 2009 

[23] Summarizing Zero Day's Posts for September, 2009 

[24] Summarizing Zero Day's Posts for October, 2009 

[25] Summarizing Zero Day's Posts for November, 2009 

[26] Summarizing Zero Day's Posts for December, 2009 
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blog. 
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18. http://ddanchev.blo as pot.com/2QQ9/Q5/summarizin a- 
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20. http://ddanchev.blo as pot.com/2QQ9/Q7/summarizin a- 
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zero-da vs- PQSts-for-au a ust.html 


23. http://ddanchev.blo as pot.com/2QQ9/lQ/summarizin a- 
zero-da vs- posts-for.html 

24. http://ddanchev.blo as pot.com/2QQ9/ll/summarizin a- 
zero-da vs- posts-fQr-october.html 

25. http://ddanchev.blo as pot.com/2QQ9/ll/summarizin a- 
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Top Ten Must-Read DDanchev Posts For 2009 (2010- 
01-04 22:37) 

The following ten posts have been featured due to their 
insightful content, comprehensiveness of the topic covered, 
and due to plain simple exclusivity in the time of publishing, 
and not necessarily based on page views. 

Thank you for being a regular reader of my personal blog. 
Feel free to subscribe to [l]my RSS feed, keep track 

of [2]my posts at ZDNet's Zero Day, or [3]follow me on 
Twitter. 

01. [4]Conficker's Scareware/Fake Security Software 
Business Model 

























02. [5]Koobface Botnet's Scareware Business Model - Part 
One and [6]Part Two 

03. [7]lnside a Money Laundering Group's Spamming 
Operations 

04. [8]A Peek Inside the Managed Blackhat SEO Ecosystem 

05. [9]lranian Opposition DDoS-es pro-Ahmadinejad Sites 

06. [10]Koobface Botnet Redirects Facebook's IP Space to 
my Blog 

07. [ll]Standardizing the Money Mule Recruitment Process 

08. [12]Koobface Botnet Starts Serving Client-Side Exploits 

09. The SMS Ransomware series - [13]SMS Ransomware 
Displays Persistent Inline Ads; [14]SMS Ransomware Source 
Code Now Offered for Sale; [15]3rd SMS Ransomware 
Variant Offered for Sale; [16]4th SMS Ransomware Variant 

Offered for Sale; [17]5th SMS Ransomware Variant Offered 
for Sale; [ 18]6th SMS Ransomware Variant Offered for 

Sale 

10. [19]The Koobface Gang Wishes the Industry "Happy 
Holidays" 

This post has been reproduced from [20]Dancho Danchev's 
blog. 
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2. http://uDdates.zdnet.com/ta a s/dancho+danchev.html? 
o=l&mode=rss 


3. http://twitter.com/danchodanchev 

4. http://ddanchev.blo as pot.com/20Q9/Q4/confickers- 
scarewarefake-securitv.html 

5. http://ddanchev.blo as pot.com/2Q09/Q9/koobface-botnets- 
scareware-business.html 

6. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnets- 
scareware-business.html 

7. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 
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8. http://ddanchev.blo as pot.com/2009/Q6/peek-inside- 
mana a ed-blackhat-seo.html 

9. http://ddanchev.blo as pot.com/2009/Q6/iranian- 
op posifiQn-ddos-es-pro.html 

10. http://ddanchev.blo as pot.com/20Q9/10/koobface- 
botnet-redirects-facebooks-ip.html 

11. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

12. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnet-starts-servin a -client.html 

13. http://ddanchev.blo as pot.com/2009/Q9/sms- 
ransomware-displa vs- persistent.html 

















































14. http://ddanchev.blo as DOt.com/2QQ9/Q5/sms- 
ransomware-source-code-now-offered.html 


15. http://ddanchev.blo as pot.com/2QQ9/Q5/3rd-sms- 
ransomware-variant-offered-for.html 


16. http://ddanchev.blo as pot.com/2QQ9/Q7/4th-sms- 
ransomware-variant-offered-for.html 


17. http://ddanchev.blo as pot.com/2QQ9/Q7/5th-sms- 
ransomware-variant-offered-for.html 


18. http://ddanchev.blo as pot.com/2QQ9/Q8/6th-sms- 
ransomware-variant-offered-for.html 


19. http://ddanchev.blo as pot.com/2QQ9/12/koobface- a an a- 
wishes-industrv-ha pp v.html 

20. http://ddanchev.blo as pot.com/ 
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Scareware, Blackhat SEO, Spam and Google Groups 
Abuse, Courtesy of the Koobface Gang 

(2010-01-08 17:29) 

The Koobface gang is known to have embraced the potential 
of the "underground multi-tasking" model a long time ago, 
in order to achieve the "malicious economies of scale" 
effect. This "underground multi-tasking" most commonly 
comes in the form of multiple monetization campaigns, 
which upon closer analysis always lead back to the Koobface 
gang's infrastructure. In fact, the gang is so obsessed with 
efficiency, that particular redirectors and key malicious 
























domains for a particular campaign, are also, simultaneously 
rotated across all the campaigns that they manage. 

For instance, throughout the past half an year, a huge 
percentage of the malicious infrastructure used simulta¬ 
neously in multiple campaigns, was parked on the [l]now 
shut down Riccom LTD - AS29550. From the [2]massive 

blackhat SEO campaigns affecting millions of legitimate 
web sites managed by the gang, to the [3]malvertising 
attack at the New York Times web site, and [4]the click-fraud 
facilitating [5]Bahama botnet, the Koobface botnet is only 
the tip of the iceberg for the efficient and fraudulent money 
machine that the gang operates. 
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In this analysis, I'll once again establish a connection 
between the ongoing blackhat SEO campaigns managed by 
the gang ( [6]Blackhat SEO Campaign Hijacks U.5 Federal 
Form Keywords, Serves Sea re ware; [7JU.S Federal Forms 
Blackhat SEO Themed Scareware Campaign Expanding; 

[8] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO 

Campaign), with a spam campaign that's also syndicated 
across multiple Google Groups, and the Koobface botnet 
itself, with a particular emphasis on the scareware 
monetization taking place across all the campaigns. 

Related Koobface research and analysis: 

[9] The Koobface Gang Wishes the Industry "Happy 
Holidays" 


[10] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[11] Koobface Botnet Starts Serving Client-Side Exploits 

[12] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[13] Koobface Botnet's Scareware Business Model - Part Two 

[14] Koobface Botnet's Scareware Business Model - Part One 

[15] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[16] New Koobface campaign spoofs Adobe's Flash updater 
[ 17]Social engineering tactics of the Koobface botnet 
908 

[18] Koobface Botnet Dissected in a TrendMicro Report 

[19] Movement on the Koobface Front - Part Two 

[20] Movement on the Koobface Front 

[21] Koobface - Come Out, Come Out, Wherever You Are 

[22] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [23]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2009/12/koobface-friendl v- 
riccom-ltd-as29550.html 





2. http://ddanchev.blo as DOt.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

3. http://ddanchev.blo as pot.com/20Q9/Q9/ukrainian-fan- 
club-features.html 

4. http://blo a s.zdnet.com/securit v/7 p=4549 

5. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnets- 
scareware-business.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q8/blackhat-seo- 
campai a n-hi i acks-us.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q8/us-federal-forms- 
blackhat-seo-themed.html 


8. http://ddanchev.blo as pot.com/20Q9/Q8/dissectin a- 
ona oin a -us-federal-forms.html 

9. http://ddanchev.blo as pot.com/2QQ9/12/koobface- a an a- 
wishes-industrv-ha pp v.html 

10. http://ddanchev.blo as pot.com/2QQ9/12/koobface- 
friendlv-rgccQm-lltd-as29550.html 

11. http://ddanchev.blo as pot.com/2QQ9/ll/koobface- 
botnet-starts-servin a -client.html 

12. http://ddanchev.blo as pot.com/2QQ9/ll/massive- 
scareware-servin a -blackhat-seo.html 

13. http://ddanchev.blo as pot.com/2QQ9/ll/koobface- 
botnets-scareware-business.html 


14. http://ddanchev.blo as pot.com/2QQ9/Q9/koobface- 
botnets-scareware-business.html 


















































15. http://ddanchev.blo as DOt.com/2QQ9/lQ/koobface- 
botnet-redirects-facebooks-ip.html 

16. http://blo a s.zdnet.com/securit v/? p=4594 

17. http://content.zdnet.com/2346-12691 22-352597.html 

18. http://ddanchev.blo as pot.com/2QQ9/lQ/koobface- 
botnet-dissected-in-trendmicro.html 


19. http://ddanchev.blo as pot.com/2QQ9/Q8/movement-on- 
koobface-front-part-two.html 

20. http://ddanchev.blo as pot.com/20Q9/Q8/movement-on- 
koobface-front.html 


21. http://ddanchev.blo as pot.com/2QQ9/Q7/koobface-come- 
out-come-out-wherever-vou.html 

22. http://ddanchev.blo as pot.com/2QQ9/Q7/dissectin a- 
koobface-worms-twitter.html 


23. http://ddanchev.blo as pot.com/ 
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Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware (2010-01-08 23:53) 

UPDATED: Sunday, January 10, 2010 - The post has 
been updated with the latest domains spammed within the 
past 24 hours. 

UPDATED: Saturday, January 09, 2010 - The post has 
been updated with the latest domains spammed within 





























the past 24 hours. The spam campaign is ongoing. 

A currently ongoing spam campaign is using the "Your 
default mailbox settings have changed" theme, in order to 
infect gullible users into executing Trojan-Spy.Win32.Zbot 
([ljsettings-file.exe). 

Sample message: 

" The default settings of your mailbox were automatically 
changed. Please download and launch a file with a new set 
of settings for your e-mail account: fx-settings-file.exe. 

We constantly work on the quality level of our service, as 
well as on the development of its security and protection. 
During the last upgrade several essential improvements 
were adopted, such as new ports for the POP3 & SMTP 
protocols, plus the SMTP autentification. The new settings 
are necessary for those who use the mailings clients 910 
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(for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird 
etc.) or those who use our service via the web-interface. " 

Sample campaign structure: 

molendf.co .kr/owa/service directory/settings.php? 
email=fx@ya hoo.com 

&from=yahoo.com &fromname=fx 

Fast-fluxed seed IPs: 

61.64.170.232 


77.126.141.142 


188.56.139.174 


189.110.244.68 

189.179.13.36 

190.82.217.255 

195.174.109.241 
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200.169.71.144 

201.232.187.200 

201.236.48.117 

210.106.80.90 

218.153.64.25 

221.26.184.25 
59.92.58.166 
61.20.133.88 

DNS servers of notice: 
nsl.moorcargo .net 

nsl.aj-realtors .com - Email: support@ajr.com 

nsl.groupswat .com 
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nsl.elkins-realty .net - Email: BO.la@yahoo.com 

nsl.nocksold .com - Email: termer@counsellor.com 

nsl.seldomservice .net - 89.238.165.195 - Email: 
pp0271@gmail.com 

nsl.viking-gave .net - 89.238.165.195 - Email: 
glonders@gmail.com 

nsl.controlpanellsolutions .com - 212.95.50.175 - 
Email: jobwes@clerk.com 

Hundreds of typosquatted subdomains reside within the 
following currently active domains: 

ujjiks.co .im 

ujjiks.com .im 

ujjiks.org .im 

ujjikx.co .im 

ujjikx.com .im 

ujjikx.org .im 

molendf.co .kr 

molendf .com 

molendf .kr 

molendf.ne .kr 


molendf.or .kr 



vcrssdl .cc 


vcrssdl .eu 
vfrtssd .com 
vsmprot.co .uk 
vsmprot .com 
vsmprot .eu 
vsmprot.me .uk 
vsmprot.org .uk 
913 
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ikuu8a .com - Email: bjnjnsls@technologist.com 
ikuu8d .com - Email: bjnjnsls@technologist.com 
ikuu8e .com - Email: bjnjnsls@technologist.com 
ikuu8q .com - Email: bjnjnsls@technologist.com 
ikuu8s .com - Email: bjnjnsls@technologist.com 
ikuu8w .com - Email: bjnjnsls@technologist.com 
ikuu8x .com - Email: bjnjnsls@technologist.com 
ikuu8z .com - Email: bjnjnsls@technologist.com 
ikuu8a .net - Email: bjnjnsls@technologist.com 
ikuu8e .net - Email: bjnjnsls@technologist.com 


ikuu8q .net - Email: bjnjnsls@technologist.com 
ikuu8s .net - Email: bjnjnsls@technologist.com 
ikuu8w .net - Email: bjnjnsls@technologist.com 
ikuu8x .net - Email: bjnjnsls@technologist.com 
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ikuu8z .net - Email: bjnjnsls@technologist.com 
yhuttte.ne .kr - Email: scepterpdg@chemist.com 
yhuttti.ne .kr - Email: scepterpdg@chemist.com 
yhutttu.ne .kr - Email: scepterpdg@chemist.com 
yhuttte .kr - Email: scepterpdg@chemist.com 
yhuttti .kr - Email: scepterpdg@chemist.com 
yhuttte.co .kr - Email: scepterpdg@chemist.com 
yhuttti.co .kr - Email: scepterpdg@chemist.com 
yhutttr.co .kr - Email: scepterpdg@chemist.com 
yhutttu.co .kr - Email: scepterpdg@chemist.com 
yhuttte.or .kr - Email: scepterpdg@chemist.com 
yhuttti.or .kr - Email: scepterpdg@chemist.com 
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yhutttr.or .kr - Email: scepterpdg@chemist.com 
yhutttu.or .kr - Email: scepterpdg@chemist.com 
yhutttr .kr - Email: scepterpdg@chemist.com 
yhutttu .kr - Email: scepterpdg@chemist.com 
ujyhl.ne .kr - Email: combinetct@financier.com 
ujyho.ne .kr - Email: combinetct@financier.com 
ujyhf .kr - Email: combinetct@financier.com 
ujyhl .kr - Email: combinetct@financier.com 
ujyhf.co .kr - Email: combinetct@financier.com 
ujyhl.co .kr - Email: combinetct@financier.com 
ujyho.co .kr - Email: combinetct@financier.com 
ujyhs.co .kr - Email: combinetct@financier.com 
ujyho .kr - Email: combinetct@financier.com 
ujyhf.or .kr - Email: combinetct@financier.com 
ujyhl.or .kr - Email: combinetct@financier.com 
ujyho.or .kr - Email: combinetct@financier.com 
ujyhs.or .kr - Email: combinetct@financier.com 
916 
K 

ujyhs .kr - Email: combinetct@financier.com 



Seen within the past 24 hours, now offline domains part of 
the campaign: 

yhe3essa .com.pl 

yhe3essd .com.pl 

yhe3esse .com.pl 

yhe3essf .com.pl 

yhe3essg .com.pl 

yhe3essi .com.pl 

yhe3esso .com.pl 

yhe3essp .com.pl 

yhe3essq .com.pl 

yhe3essr .com.pl 
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yhe3esss .com.pl 
yhe3esst .com.pl 
yhe3essu .com.pl 
yhe3essw .com.pl 
yhe3essy .com.pl 
ok9iiol .com 


ok9iio2 .com 



ok9i 

io3 

.com 

ok9i 

io4 

.com 

ok9i 

io5 

.com 

ok9i 

io6 

.com 

ok9i 

io7 

.com 

ok9i 

io8 

.com 

ok9i 

iol 

.net 

ok9i 

io2 

.net 

ok9i 

io3 

.net 

ok9i 

io4 

.net 

ok9i 

io5 

.net 

ok9i 

io6 

.net 

ok9i 

io7 

.net 


Upon execution the sample phones back to the already 
[2]blacklisted by the Zeus Tracker nekovo .ru: 

nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 

109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - 
Troyak-as Starchenko Roman Fedorovich. 

Related Zeus crimeware name servers respond to the same 
IP: 


- nsl.trust-service .cn - (domain itself [3]responds to 
193.104.41.133) - Email: olezhiosapiel@yahoo.es 





- nsl.elnasa .ru - (domain itself [4]responds to 
91.200.164.12) - Email: kievsk@yandex.ru 

- nsl.recessa .ru - (domain itself [5]responds to 
193.104.41.69) - Email: kievsk@yandex.ru 

- nsl.stomaid .ru - (domain itself [6]responds to 
91.200.164.10) - Email: kievsk@yandex.ru 

Parked withn the same AS, are also the following currently 
active Zeus crimeware serving domains: 

web-information-services .com - 91.198.109.69 - Email 
pita@bigmailbox.ru 

erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru 

excellenthostingservice .com - 91.198.109.48 - Email: 
xm@qx8.ru 

goldhostingservice .com - 91.198.109.32 - Email: 
clod@qx8.ru 

Pretty much your typical cybercrime-friendly virtual 
neighborhood. 

Related posts: 

[7] Pushdo Injecting Bogus Swine Flu Vaccine 

[8] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[9] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[10] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 



This post has been reproduced from [HJDancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/26efaeec869a31abb49fd 

Cc6ef82207fl234f92b73de01589e8294a053f31d7b-12629 
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2. https://zeustracker.abuse.ch/monitor. ph o7host-nekovo.ru 

3. httPs://zeustracker.abuse.ch/monitor. ph p?host=trust- 
service.cn 

4. https://zeustracker.abuse.ch/monitor. ph p?host=elnasa.ru 

5. https://zeustracker.abuse.ch/monitor. php? 
host=recessa.ru 

6. https://zeustracker.abuse.ch/monitor. php? 
host=stomaid.ru 

7. http://ddanchev.blo as pot.com/2QQ9/12/pushdo-in i ectin a- 
bo a us-swine-flu.html 

8. http://ddanchev.blo as pot.com/20Q9/ll/vour-maillbox-has- 
been-deactivated-spam.html 

9. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

10. http://ddanchev.blo as pot.com/2QQ9/Q7/multitaskin a- 
fast-f1ux-botnet-that.html 


11. http://ddanchev.blo as pot.com/ 
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Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams (2010-01-13 21:10) 

UPDATED, Friday, 15, 2010: The gang continues rotating 
the campaigns by targeting different brands. Over the 24 

hours they've spamming the well known " Notice of 
Underreported Income " theme this time targeting HM 
Revenue and Customs (HMRC), and have also 
introduced new portfolios of typosquatted domains next to 
changing the client-side exploits serving iFrame embedded 
on each and every page. 

- Sample message: "F iling and paying your federal taxes 
correctly and on time is an important part of living and 920 
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working in the United Kingdom. Please review (download 
and execute) your tax statement. If the statement is 
incorrect, contact our Taxpayer Advocate Service. " 

- Sample URL: online.hmrc.gov.uk.olpiku5v 
. com. pl/Security WebApp/h ttpsmode/sta tement. php 

Detection rates fortax-statement.exe ([l]Trojan- 
Spy.Win32.Zbot.gen) and file.exe ([2]Trojan- 
Spy.Win32.Zbot.gen). 

Upon execution, the samples attempt to connect to elnasa 
.ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble). 


The structure of the iFrame, now using an IP address instead 
of a domain name, remains the same: 

- 109.95.114.251 /uksl/in.php - 109.95.114.251 - 
AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - 
akanyovskiy@troyak.org 

- 109.95.114.251 /uksl/jquery.jxx 

- 109.95.114.251 /u ks 1/xd/pdf. pdf 

- 109.95.114.251 /uksl/load.php 

- 109.95.114.251 /uksl/file.exe 

DNS servers of notice: 

nsl.pds-properties .com - 89.238.165.195 

nsl.noeproperties .com - 84.243.201.159 

nsl.densondatabase .com - 94.23.177.147 

nsl.dogsgrem .net - 89.238.165.195 - Email: 
glonders@gmail.com - Email seen in [3]previous domain 
registrations 921 

Typosquatted domains spammed over the past 24 hours: 

olpiku5a .com.pl 
olpiku5b .com.pl 
olpiku5c .com.pl 
olpiku5d .com.pl 
olpiku5e .com.pl 



olpiku5f .com.pl 
olpiku5g .com.pl 
olpiku5q .com.pl 
olpiku5r .com.pl 
olpiku5s .com.pl 
olpiku5t .com.pl 
olpiku5v .com.pl 
olpiku5w .com.pl 
olpiku5x .com.pl 
olpiku5z .com.pl 
ujo9ia .com.pl 
ujo9id .com.pl 
ujo9ie .com.pl 
ujo9if .com.pl 
ujo9ig .com.pl 
ujo9ih .com.pl 
ujo9im .com.pl 
ujo9in .com.pl 
ujo9iq .com.pl 
ujo9ir .com.pl 




ujo9is .com.pl 
ujo9it .com.pl 
ujo9iw .com.pl 
ujo9iy .com.pl 
ujo9iz .com.pl 
922 
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tlllut .me.uk 
tllluy .me.uk 
tllluz .me.uk 
tllluk .org.uk 
tlllut .org.uk 
tllluz .org.uk 
tllluk .co.uk 
tllluy .co.uk 
okiolh .ne.kr 
okiolw .ne.kr 
okiolh .kr 
okiolh .co.kr 


okiolu .co.kr 


okiolv .co.kr 


okiolw .co.kr 
okiolh .or.kr 
okiolu .or.kr 

923 

okiolv .or.kr 
okiolw .or.kr 
okiolu .kr 
okiolv .kr 
okiolw .kr 
proterpl .im 
virtditl .im 
virtdit2 .im 
virtdit3 .im 
virtdit4 .im 
virtdit5 .im 
virtdit6 .im 
virtdit7 .im 


virtdit8 .im 



UPDATED: Gary Warner offers additional insights into the 
latest campaigns - [4]This Week in Avalanche / Zbot 

/ Zeus Bot: HSBC & eBay. 

What the botnet masters forget is that with each and every 
campaign, based on a number of factors, they re¬ 
veal more about themselves and their affiliations within the 
cybercrime ecosystem. The degree of monetization 

is proportional with the loss of OPSEC (operational security), 
and this remains valid for any fraudulent campaign, botnet 
or cybercrime community in general. 

UPDATED: To clarify, in this campaign Pushdo acts as 
[5]the spam platform for the [6]Avalanche/MS-Redirect 
botnet. 

In need of a good example why you shouldn't be interacting 
with spam/phishing emails in any other way but 

reporting/deleting them, unless of course you're in the 
business of analyzing them? 
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Last week's [7]OWA-themed Zeus-serving spam campaign 
courtesy of the Pushdo botnet, has not just resumed, 

but is continuing to serve client-side exploits (CVE-2007- 
5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting 
the spammed web sites through an iFrame embedded on all 
of them. Such traffic optimization tactics are nothing 


new, since the botnet master is anticipating the fact that 
the visitor that clicked on the link, may not be that stupid 
the next time, so attempting to serve the malware without 
any kind of interaction on his behalf through client-side 
exploits is the tactic of choice. 

Let's dissect the campaign, list all of the currently active 
fast-fluxed domains, the name servers of notice, the client- 
side exploit serving structure, and the Russian Brides scam 
domains spamvertised over the last few days. 
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Active fast-fluxed domains part of the campaign: 
leptprs.co .kr - Email: wawddhaepny@yahoo.com 
leptprs .kr - Email: wawddhaepny@yahoo.com 
leptprs.ne .kr - Email: wawddhaepny@yahoo.com 
leptprs.or .kr - Email: wawddhaepny@yahoo.com 
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com 
ui7772.co .kr - Email: jn.hadler@jkh.org.uk 
ui7772 .kr - Email: jn.hadler@jkh.org.uk 
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk 
ui7772.or .kr - Email: jn.hadler@jkh.org.uk 
ui777f .kr - Email: jn.hadler@jkh.org.uk 
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk 


ui777f.or .kr - Email: jn.hadler@jkh.org.uk 
ui777fne .kr - Email: jn.hadler@jkh.org.uk 
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ui777l.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p .kr - Email: jn.hadler@jkh.org.uk 
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk 
ui777p.or .kr - Email: jn.hadler@jkh.org.uk 
DNS servers of notice: 

nsl.raddoor .com - Email: figarro77@gmail.com 
nsl.snup-up .net - Email: dietsnak@socialworker.net 
nsl.aj-realty .net - Email: support@aj-realty.net 

nsl.aj-administration .com - Email: manager@mack.net 

nsl.aj-talentsearch .com - Email: supp@mail.net 

nsl.eurobankfinance .net - Email: 
termer@counsellor.com 
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nsl.hetn91 .com - Email: astrix@aol.com 


nsl.personnel-aj .com - Email: KimMlngram@aol.com 

nsl.nitroexcel .net 
nsl.fredoms .com 
nsl.ajstaffing .net 
nsl.angel-death .net 
nsl.aj-estate .com 
nsl.aj-realtors .com 
nsl.pdsproperties .com 
nsl.groupswat .com 
Upon 

execution, 

[8jsettings-file.exe 

(Trojan-Spy. Win32.Zbot.adsy), 

phones 

back 

to 

109.123.70 

.97/fh3245sq/config.bin. 

Detection rate for pdf.pdf ([9]Exploit-PDF.ac) and file.exe 
([10]Trojan.Win32.Riern). 



The structure of the iFrame is as follows: 


- atthisstage .com/uksp/in.php - 84.45.45.135 - Email 
soakes@soakes.com 

- atthisstage .com/uksp/jquery.jxx 

- atthisstage .com/uksp/xd/pdf.pdf 
-atthisstage .com/uksp/load.php 

- atthisstage .com/uksp/file.exe 
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Russian Brides spamvertised domains part of an affiliate 
network: 

toolbarsunited .com - Email: soft.tj@gmail.com 
2006jubilee .com - Email: soft.tj@gmail.com 
avtofo .org - Email: flarnes@gmail.com 
lovesexdatings .com - Email: kauplus@li.ru 
stars-dating .com - Email: kauplus@li.ru 
avtofo.com .ua 
dinenyc .net 

cid-f5f40efIf5210d08.spaces .live.com 
cid-clb015ffelb44573.spaces .live.com 
Cid-b78f4f23e27d2b45.spaces .live.com 


cid-8d3413073f537740.spaces .live.com 

cid-205046cf66900102.spaces .live.com 

If you want to know more the inner workings of the 
Pushdo/Cutwail botnet, consider going through the 

[11] Pushdo 

/ Cutwail - An Indepth Analysis report. 

Related posts: 

[12] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 
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[13] Pushdo Injecting Bogus Swine Flu Vaccine 

[14] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[15] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[16] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [17]Dancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/bebf6c8b3c6a29acfb7d5 

1022c0948dalec2e83d3c8aa4b4cld27cca901fd631-12635 

73013 


2 . 





http://www.vi rustotal.com/analisis/1933c6e274093be895c8 

d904b9a32a8f0Q8cebc3a608622a2afdQ9e2ba68fa7c- 

12635 

73021 

3. http://ddanchev.blo as pot.com/2QlQ/01/outlook-web- 
access-themed-soam-camoai a n.html 

4. http:// a arwarner.blo as pot.com/2QlQ/01/this-week-in- 
a va I a n c h e-z bot-zeu s -bot. h tm I 

5. https://twitter.com/avivra/status/7720494889 

6. https://twitter.com/avivra/status/7721711447 

7. http://ddanchev.blo as oot.com/2QlQ/Ql/outlook-web- 
access-themed-soam-camoai a n.html 

8 . 

http://www.virustotal.com/analisis/d62d93ffa6fQ91db355e5 

6b6db6bce9cdf683e34256d734b7c9ec6321ad917e8- 

12633 

98244 

9. 

http://www.virustotal.com/analisis/8fl5b24627621b74df7af 

103fe2fef9908728a3c0bdla2afdf83947e980251cc-12633 

96897 

10 . 

http://www.virustotal.com/analisis/433accd7f258cl813c6c6 

310a4a2347ee45530db839bea2663f59f2ccf6d3be3-12633 






























97127 


11 . 

http://us.trendmicro.com/imDeria/md/content/us/pdf/threats 
/securitvlibrarv/studv of pushdo.pdf 

12. http://ddanchev.blo as pot.com/2QlQ/01/outlook-web- 
access-themed-spam-campai a n.html 

13. http://ddanchev.blo as pot.com/2QQ9/12/pushdo- 
ini ectin a -bo a us-swine-flu.html 

14. http://ddanchev.blo as pot.com/2QQ9/ll/vour-mailbox- 
has-been-deactivated-spam.html 

15. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

16. http://ddanchev.blo as pot.com/2QQ9/Q7/multitaskin a- 
fast-f1ux-botnet-that.html 


17. http://ddanchev.blo as pot.com/ 
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Follow Me on Twitter! (2010-01-18 19:05) 

Are you on Twitter? If so, [l]consider following my tweets, or 
if you're not using it you can always [2]subscribe to the RSS 
feed. 

1. http://twitter.com/danchodanchev 

2. http://twitter.com/statuses/user_timeline/1968Q610.rss 


931 







































Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits (2010-01-26 
09:34) 

Continuing [l]the Pushdo coverage from last week, the " 
YourAOL Instant Messenger account is flagged as inactive" 

"[2] or the latest update for the AIM " themed campaign from 
the weekend, has once again returned to a well known 
theme, namely, the "[3] Facebook Update Toot' spam 
campaign. 

The botnet masters have introduced several new name 
servers - domain suspension is pending - but con¬ 
tinue using the same IP embedded on all the pages, for 
serving the client-side exploits, with a slight change in the 
directory structure. 

- Sample subject: Facebook Update Tool 

- Sample body: 11 Dear Facebook user, In an effort to make 
your online experience safer and more enjoyable, Facebook 
will be implementing a new login system that will affect all 
Facebook users. These changes will offer new features and 
increased account security Before you are able to use the 
new login system, you will be required to update your 
account. Click here to update your account online now. If 
you have any questions, reference our New User Guide. 

Thanks, The Facebook Team" 

- Sample URL: facebook.com.ddeassrq 
.vc/usr/Logi n Facebook. php?ref 

- Detection rates for scripts/crimeware/exploits: 


[4JFile.exe (phones back to the currently down nekovo 

.ru/cbd/nekovo.bri); [5]lE.js; [6]IE2.js; [7]nowTrue.swf; 

[8]pdf.pdf 

- Sample iFrame exploitation structure: 109.95.114 
.251/us01d/in.php 
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- 109.95.114 .251/usOld/jquery.jxx 

- 109.95.114 .251/us01d/xd/pdf.pdf 

- 109.95.114 .251/usOld/load.php 

- 109.95.114 .251/usOld/file.exe 

- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com 
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com 
ddeassrq .vc - Email: mspspaceki@mad.scientist.com 
ddeasutq .vc - Email: mspspaceki@mad.scientist.com 
ddeasauq .vc - Email: mspspaceki@mad.scientist.com 
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com 
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com 
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reeesassf .la - Email: palatalizefxt@popstar.com 
ukgedsa.com .hn - Email: zmamarc689@witty.com 
ukgedsc.com .vc - Email: zmamarc689@witty.com 
ukgedse.com .hn - Email: zmamarc689@witty.com 
ukgedsg.com .vc - Email: zmamarc689@witty.com 
ukgedsh.com .vc - Email: zmamarc689@witty.com 
ukgedsi .hn - Email: zmamarc689@witty.com 
ukgedsq.com .hn - Email: zmamarc689@witty.com 
ukgedsr.com .sc - Email: zmamarc689@witty.com 
ukgedst.com .sc - Email: zmamarc689@witty.com 
ukgedsu.com .vc - Email: zmamarc689@witty.com 
934 

ukgedsv.com .vc - Email: zmamarc689@witty.com 
ukgedsy.com .vc - Email: zmamarc689@witty.com 

- Name servers of notice: 

nsl.availname .net - 204.12.229.89 - Email: 
Larimore@yahoo.com 

nsl.sorbauto .com - 204.12.229.89 - Email: 
xtrai@email.com 

nsl.worldkinofest .com - Email: tolosal965@snail- 
mail.net 



nsl.pdsproperties .net - 92.84.23.138 - Email: 
PDSProperties@yahoo.com 

nsl.drinckclub .com - 94.23.177.147 - Email: 
excins@iname.com 

nsl.transsubmit .net - 94.23.177.147 - Email: 
Alaniz@gmail.com 

nsl.theautocompany .net - suspended 
nsl.24stophours .com - suspended 
nsl.disksilver .net - suspended 

Thankfully, quality assurance is not taken into consideration 
in this campaign - the iFrame's IP is already heavily 
blacklisted, and the crimeware sample itself attempts to 
phone back to a C &C that has been down for several days. 

The gang's activities will be updated as they happen. 

Related posts: 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[11] Pushdo Injecting Bogus Swine Flu Vaccine 

[12] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 


[13]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 



[14]The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [15]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as oot.com/2QlQ/Ql/pushdo-servin a- 
crimeware-client-side.html 

2. http:// a arwarner.blo as pot.com/2QlQ/01/aol-update- 
s preads-zeus-zbot.html 

3. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

4. 

http://www.virustotal.com/analisis/c362c51b41df7ff9c6aQf6 

33a4fbd22cd399c91221d0ed66c9fcal879d3ba8ba-12644 

64538 

5. 

http://www.virustotal.com/analisis/78f852ec4b2ad25QclQ9 

6d5daf2ec05fflab79f75c2225cdd71df09Qlef6b8dd-12644 

64978 

6 . 

http://www.virustotal.com/analisis/6Qf61537c725d257a2ed 

b86f65f5f4ab3c9871c7e9c460cblccb7466flfl4496-12644 

64983 


7 . 
























http://www.vi rustotal.com/analisis/de54327ae5b208flf4570 

4d41ef03cQ2758f7fl2c2f63907db70429629c44df3-12644 


64990 

8 . 

http://www.virustotal.com/analisis/63eb7672e92b590a94cQ 

8ef59fb8aaea069dfdd7242c78b2670d9634d65a0e9f- 

12644 

65015 

9. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/2QlQ/01/outlook-web- 
access-themed-soam-camoai a n.html 

11. http://ddanchev.blo as oot.com/2QQ9/12/pushdo- 
ini ectin a -bo a us-swine-flu.html 

12. http://ddanchev.blo as oot.com/2QQ9/ll/vour-mailbox- 
has-been-deactivated-soam.html 

13. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s oam-camoai a n-serves-zeus.html 

14. http://ddanchev.blo as oot.com/2QQ9/Q7/multitaskin a- 
fast-f1ux-botnet-that.html 


15. http://ddanchev.blo as oot.com/ 
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Inside a Commercial Chinese DIY DDoS Platform 
(2010-01-26 14:28) 








































With China in the focus of international fiasco (consider 
going through the [l]Google-China cyber espionage 
saga - 

FAQ) 

Related Chinese hacking/hacktivism coverage: 

[2] Localizing Open Source Malware 

[3] Custom DDoS Capabilities Within a Malware 

[4] Custom DDoS Attacks Within Popular Malware 
Diversifying 

[5] The FirePack Exploitation Kit Localized to Chinese 

[6] MPack and IcePack Localized to Chinese 

[7] Massive SQL Injection Attacks - the Chinese Way 

[8] A Chinese DIY Multi-Feature Malware 

[9] DIY Chinese Passwords Stealer 

[10] A Chinese Malware Downloader in the Wild 

[lljChinese Hackers Attacking U.S Department of Defense 
Networks 

[12] Chinese Hacktivists Waging People's Information 
Warfare Against CNN 

[13] The DDoS Attack Against CNN.com 

This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15Jon Twitter. 



1. http://blo a s.zdnet.com/securit v/? p = 5259 


2. http://ddanchev.blo as pot.com/2QQ7/Q9/localizin a-o pen- 
source-malware.html 

3. http://ddanchev.blo as pot.com/2QQ7/Q9/custom-ddos- 
capabilities-within-malware.html 

4. http://ddanchev.blo as pot.com/2QQ8/05/custom-ddos- 
attacks-within- po pular.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q5/firepack- 
exploitation-kit-localized-to.html 

6. http://ddanchev.blo as pot.com/2QQ7/10/mpack-and- 
icepack-localized-to-chinese.html 

7. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
ini ection-attacks-chinese.html 

8. http://ddanchev.blo as pot.com/2QQ8/Q5/chinese-div-multi- 
feature-malware.html 

9. http://ddanchev.blo as pot.com/2QQ7/Q9/div-chinese- 
passwords-stealer.html 

10. http://ddanchev.blo as pot.com/2QQ7/Q9/chinese- 
malware-downloader-in-wild.html 


11. http://ddanchev.blo as pot.com/20Q6/Q9/chinese-hackers- 
attackin a -us.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q4/chinese- 
hacktivists-wa aina- peoples.html 

13. http://ddanchev.blo as pot.com/2QQ8/Q4/ddos-attack- 
aa ainst-cnncom.html 


















































14. http://ddanchev.blo as pot.com/ 

15. http://twitter.com/danchodanchev 
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Inside a Commercial Chinese DIY DDoS Platform 
(2010-01-26 14:28) 

With China in the focus of international fiasco (consider 
going through the [l]Google-China cyber espionage 
saga - 

FAQ) 

Related Chinese hacking/hacktivism coverage: 

[2] Localizing Open Source Malware 

[3] Custom DDoS Capabilities Within a Malware 

[4] Custom DDoS Attacks Within Popular Malware 
Diversifying 

[5] The FirePack Exploitation Kit Localized to Chinese 

[6] MPack and IcePack Localized to Chinese 

[7] Massive SQL Injection Attacks - the Chinese Way 

[8] A Chinese DIY Multi-Feature Malware 

[9] DIY Chinese Passwords Stealer 

[10] A Chinese Malware Downloader in the Wild 

[lljChinese Hackers Attacking U.S Department of Defense 
Networks 

[12] Chinese Hacktivists Waging People's Information 
Warfare Against CNN 

[13] The DDoS Attack Against CNN.com 



This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15Jon Twitter 

1. http://blo a s.zdnet.com/securit v/? p = 5259 
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source-malware.html 

3. http://ddanchev.blo as pot.com/2QQ7/09/custom-ddos- 
capabilities-within-malware.html 

4. http://ddanchev.blo as pot.com/2QQ8/Q5/custom-ddos- 
attacks-within- PO Pular.html 

5. http://ddanchev.blo as pot.com/2QQ8/Q5/firepack- 
exploitation-kit-localized-to.html 

6. http://ddanchev.blo as pot.com/2QQ7/lQ/mpack-and- 
icepack-localized-to-chinese.html 

7. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
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8. http://ddanchev.blo as pot.com/2QQ8/Q5/chinese-div-multi- 
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9. http://ddanchev.blo as pot.com/2QQ7/Q9/div-chinese- 
passwords-stealer.html 

10. http://ddanchev.blo as pot.com/20Q7/Q9/chinese- 
malware-downloader-in-wild.html 


11. http://ddanchev.blo as pot.com/2QQ6/Q9/chinese-hackers- 
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12. http://ddanchev.blo as pot.com/2QQ8/Q4/chinese- 
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13. http://ddanchev.blo as pot.com/2QQ8/Q4/ddos-attack- 
aa ainst-cnncom.html 

14. http://ddanchev.blo as oot.com/ 

15. http://twitter.com/danchodanchev 
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Summarizing Zero Day's Posts for January (2010-02- 
01 22:34) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for January, 2010. You can also go 
through 

[2] previous summaries, as well as subscribe to my 

[3] personal RSS feed, [4]Zero Day's main feed, [5]follow me 
or all of [6]ZDNet's blogs on Twitter. 

Recommended reading - [7]Google-China cyber 
espionage saga - FAQ. 

01. [8]Baidu DNS records hijacked by Iranian Cyber Army 

02. [9]Haiti earthquake themed blackhat SEO campaigns 
serving scareware 

03. [10]Google-China cyber espionage saga - FAQ 








04. [ll]And the most popular password is... 

05. [12]Bogus IQ test with destructive payload in the wild 

06. [13]Report: 48 % of 22 million scanned computers 
infected with malware 

This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15Jon Twitter. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/201Q/Ql/summarizin a- 
zero-da vs- PQSts-fQr.html 

3. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=Q&s=Q&o^l&mode=rss 

4. http://feeds.feedburner.com/zdnet/securit v 
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5. http://twitter.com/danchodanchev 

6. http://twitter.com/zdnetblo as 

7. http://blo a s.zdnet.com/securit v/? p = 5259 

8. http://blo a s.zdnet.com/securit v/? p = 5204 

9. http://blo a s.zdnet.com/securit v/? p = 5244 

10. http://blo a s.zdnet.com/securit v/? p=5259 

11. http://blo a s.zdnet.com/securit v/? p=5325 

12. http://blo a s.zdnet.com/securit v/? p=5357 

































13. httP://blo a s.zdnet.com/securit v/? p=5365 

14. http://ddanchev.blo as pot.com/ 

15. http://twitter.com/danchodanchev 
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How the Koobface Gang Monetizes Mac OS X Traffic 
(2010-02-02 18:07) 

Mac users appear to have a special place in the heart of the 
Koobface gang, since they've recently started 
experimenting with a monetization strategy especially for 
them - by compromising legitimate sites for the sole 
purpose of embedding them with the popular PHP backdoor 
shell C99 (Synsta mod), in an attempt to redirect all the Mac 
OS X 

traffic to affiliate dating programs, such as for instance 
[l]AdultFriendFinder. 

The use of Synsta's C99 mod is not a novel approach, the 
gang has been using for over an year and a half now. The 
original KROTEG injected script, is now including a " hey 
rogazi" message. "Hey rogazi" appears to be some kind of 
slang 941 


£ 


word ( rogatstsi) for scooter driving Italian people. What's 
also interesting to point out is that the Mac OS X redirection 
takes place through one of the few currently active 








centralized IPs from Koobface 1.0's infrastructure - 

61.235.117.83. 
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This very same IP (profiled in [2]August, 2009 and then in 
[3]September, 2009) was once brought offline thanks to the 
folks at China CERT, but quickly resumed operation, with 
Koobface 1.0's "leftovers" xtsd20090815 .com and kiano- 
180809 .com (domain was [4]serving client-side exploits 
in November 2009's experiment by the Koobfae gang, 
followed by another one again hosted at 61.235.117.83) 
still parked there. 

• Go through related web shell backdoors, monetization 
posts: [5]A Compilation of Web Backdoors; ^Mone¬ 
tizing Web Site Defacements; [7]Underground Multitasking 
in Action; [8]Monetizing Compromised Web Sites, 

[9]Web Site Defacement Groups Going Phishing 
943 
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Moreover, this China-based IP (it even has a modest 
[10]Alexa pagerank) was also the centralized redirection 
point in Koobface 1.0's scareware business model using 
popup.php to redirect to a systematically updated portfolio 
of scareware domains, and the first time ever that I came 
across to what [ll]the gang is now publicly acknowledging 
as the " 2008 ali baba and 40, LLC" team. 

[12JAS9394 (CRNET) itself is currently hosting the following 
active Zeus crimeware campaigns: 


[13] 6alava .com - 61.235.117.70 - Email: 
necks@corporatemail.ru 

[14] sicha-linna .com - 61.235.117.77 - Email: 
stay@bigmai I box.ru 

[15] stopspaming .com - 61.235.117.70 - Email: 
bunco@e2mail.ru 

[16] ubojnajasila .net - 61.235.117.87 - Email: 
ubojnajasila.net@contactprivacy.com 

Here's how the experiment looks like in its current form. 
Once the OS is detected, the redirection takes place 

through 61.235.117.83 /mac.php -> 61.235.117.83 
/vvv.htm loading the following pages, using the gang's 
unique campaign IDs at AdultFriendFinder: 

- BestDatingDirect .com/page hot.php? 
page=random &did = 14029 

- adultfriendfinder .com/go/page/ad ffadult gonzo? 
pid = p291351.sub2w954 &lang=english 

- adultfriendfinder .com/go/page/landing page 
_geobanner?pid=g227362-ppc 
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Parked on 63.218.226.67 - AS3491; PCCWGIobal-ASN 
PCCW Global is the rest of the dating site redirectors: 

bestdatingdirect .com 


bestnetdate .com 


currentdating .com 
datefunclub .com 
enormousdating .com 
giantdating .com 
onlinelovedating .com 
worldbestdate .com 
worlddatinghere .com 

This isn't the first time that the Koobface gang is attempting 
to monetize traffic through dating affiliate networks. In fact, 
in November's M [17]Koobface Botnet's Scareware Business 
Model - Part Two" post emphasizing on the gang's 
connection with blackhat SEO campaigns, the Bahama 
botnet and the [18]malvertising attacks at the web site of 
the New York Times, I also [19]pointed out on their 
connection with an [20]Ukrainian dating scam agency 
profiled before, whose botnet was also linked to [21]money 
mule recruitment campaigns in May, 2009. 

[22] An excerpt is worth a thousand words: 

The historical OSINT paragraph mentioned that several of 

the scareware domains pushed during the past two 
weeks 

were responding to 62.90.136.237 . This very same 
62.90.136.207 IP was hosting domains part of an 

[23] Ukrainian 945 


dating scam agency known as [24]Confidential Connections 
earlier this year, whose spamming operations were 

linked to a [25]botnet involved in money mule recruitment 
activities. 

For the time being, the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaciick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 

romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 
love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 



Appreciate my rhetoric. 

The same email 
946 

(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also [26]used to register exploit 
serving domains at 195.88.190.247, [27]participate in 
phishing campaigns, and register a [28]money mule 
recruitment site for the non-existent [29[Allied Insurance 
LLC. (Allied Group, Inc.). 

Of course, the money made in process looks like pocket 
change compared to the money they gang makes 

through blackhat SEO, click fraud and scareware in general 
- go through the related posts at the bottom of the 

article. But since they've previously indicated what I 
originally anticipated they'll do sooner or later, namely, 
start diversifying and experimenting due to the ever¬ 
growing compromised infrastructure, what they'll do next on 
the 

Mac front is an issue worth keeping an eye on. 
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How the Koobface Gang Monetizes Mac OS X Traffic 
(2010-02-02 18:07) 

Mac users appear to have a special place in the heart of the 
Koobface gang, since they've recently started 
experimenting with a monetization strategy especially for 
them - by compromising legitimate sites for the sole 
purpose of embedding them with the popular PHP backdoor 
shell C99 (Synsta mod), in an attempt to redirect all the Mac 
OS X 

traffic to affiliate dating programs, such as for instance 
[l]AdultFriendFinder. 

The use of Synsta's C99 mod is not a novel approach, the 
gang has been using for over an year and a half now. The 
original KROTEG injected script, is now including a " hey 
rogazi" message. "Hey rogazi" appears to be some kind of 
slang 949 
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word ( rogatstsi) for scooter driving Italian people. What's 
also interesting to point out is that the Mac OS X redirection 
takes place through one of the few currently active 








centralized IPs from Koobface 1.0's infrastructure - 

61.235.117.83. 
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This very same IP (profiled in [2]August, 2009 and then in 
[3]September, 2009) was once brought offline thanks to the 
folks at China CERT, but quickly resumed operation, with 
Koobface 1.0's "leftovers" xtsd20090815 .com and kiano- 
180809 .com (domain was [4]serving client-side exploits 
in November 2009's experiment by the Koobfae gang, 
followed by another one again hosted at 61.235.117.83) 
still parked there. 

• Go through related web shell backdoors, monetization 
posts: [5]A Compilation of Web Backdoors; ^Mone¬ 
tizing Web Site Defacements; [7]Underground Multitasking 
in Action; [8]Monetizing Compromised Web Sites, 

[9]Web Site Defacement Groups Going Phishing 
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Moreover, this China-based IP (it even has a modest 
[10]Alexa pagerank) was also the centralized redirection 
point in Koobface 1.0's scareware business model using 
popup.php to redirect to a systematically updated portfolio 
of scareware domains, and the first time ever that I came 
across to what [ll]the gang is now publicly acknowledging 
as the " 2008 ali baba and 40, LLC" team. 

[12JAS9394 (CRNET) itself is currently hosting the following 
active Zeus crimeware campaigns: 


[13] 6alava .com - 61.235.117.70 - Email: 
necks@corporatemail.ru 

[14] sicha-linna .com - 61.235.117.77 - Email: 
stay@bigmai I box.ru 

[15] stopspaming .com - 61.235.117.70 - Email: 
bunco@e2mail.ru 

[16] ubojnajasila .net - 61.235.117.87 - Email: 
ubojnajasila.net@contactprivacy.com 

Here's how the experiment looks like in its current form. 
Once the OS is detected, the redirection takes place 

through 61.235.117.83 /mac.php -> 61.235.117.83 
/vvv.htm loading the following pages, using the gang's 
unique campaign IDs at AdultFriendFinder: 

- BestDatingDirect .com/page hot.php? 
page=random &did = 14029 

- adultfriendfinder .com/go/page/ad ffadult gonzo? 
pid = p291351.sub2w954 &lang=english 

- adultfriendfinder .com/go/page/landing page 
_geobanner?pid=g227362-ppc 
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Parked on 63.218.226.67 - AS3491; PCCWGIobal-ASN 
PCCW Global is the rest of the dating site redirectors: 

bestdatingdirect .com 


bestnetdate .com 


currentdating .com 
datefunclub .com 
enormousdating .com 
giantdating .com 
onlinelovedating .com 
worldbestdate .com 
worlddatinghere .com 

This isn't the first time that the Koobface gang is attempting 
to monetize traffic through dating affiliate networks. In fact, 
in November's M [17]Koobface Botnet's Scareware Business 
Model - Part Two" post emphasizing on the gang's 
connection with blackhat SEO campaigns, the Bahama 
botnet and the [18]malvertising attacks at the web site of 
the New York Times, I also [19]pointed out on their 
connection with an [20]Ukrainian dating scam agency 
profiled before, whose botnet was also linked to [21]money 
mule recruitment campaigns in May, 2009. 

[22] An excerpt is worth a thousand words: 

The historical OSINT paragraph mentioned that several of 

the scareware domains pushed during the past two 
weeks 

were responding to 62.90.136.237 . This very same 
62.90.136.207 IP was hosting domains part of an 

[23] Ukrainian 953 


dating scam agency known as [24]Confidential Connections 
earlier this year, whose spamming operations were 

linked to a [25]botnet involved in money mule recruitment 
activities. 

For the time being, the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaciick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 

romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 
love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 



Appreciate my rhetoric. 

The same email 
954 

(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also [26]used to register exploit 
serving domains at 195 . 88 . 190 . 247 , [27]participate in 
phishing campaigns, and register a [28]money mule 
recruitment site for the non-existent [29[Allied Insurance 
LLC. (Allied Group, Inc.). 

Of course, the money made in process looks like pocket 
change compared to the money they gang makes 

through blackhat SEO, click fraud and scareware in general 
- go through the related posts at the bottom of the 

article. But since they've previously indicated what I 
originally anticipated they'll do sooner or later, namely, 
start diversifying and experimenting due to the ever¬ 
growing compromised infrastructure, what they'll do next on 
the 

Mac front is an issue worth keeping an eye on. 

Related Koobface gang/botnet research: 

[30] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[31] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[32] Koobface Botnet Starts Serving Client-Side Exploits 



[33] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[34] Koobface Botnet's Scareware Business Model - Part Two 

[35] Koobface Botnet's Scareware Business Model - Part One 

[36] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[37] New Koobface campaign spoofs Adobe's Flash updater 

[38] Social engineering tactics of the Koobface botnet 

[39] Koobface Botnet Dissected in a TrendMicro Report 

[40] Movement on the Koobface Front - Part Two 

[41] Movement on the Koobface Front 

[42] Koobface - Come Out, Come Out, Wherever You Are 

[43] Dissecting Koobface Worm's Twitter Campaign 
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PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild (2010-02-03 22:42) 

Pushdo/Cutwail's customers, or perhaps the botnet masters 
themselves, continue rotating the malware campaigns, 

with the very latest one using a 11 Photo Archive #2070735" 
theme, and continuing to server client-side exploits hosted 
within crimeware-friendly networks it's time we profile and 
expose. 

• [l]Extensive list of the domains/subdomains involved at 
Gary Warner's blog. 
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Photo Archives Hosting describes itself as: 

" Photos Archives Hosting has a zero-tolerance policy 
against ILLEGAL content. Ail archives and links are provided 
by 3rd parties. We have no control over the content of these 
pages. We take no responsibility for the content on any 
website which we link to, please use your own discretion 








while surfing the links. © 2007-2009, Photos Archives 
Hosting Group, Inc.- ALL RIGHTS RESERVED. " 

- Sample URL: 

photoshock. Ma I wareDomain/idl073bv/get.php? 
email = 


- Sample iFrame from this week's campaign: 

109.95.115.36 /usasp22/in.php 

-[2] Sample iFrame from last week: 109.95.114 .251 
/usOld/; 109.95.115.36 /usasp/in.php 

-[3] Sample iFrame used two weeks ago: 109.95.114 
.251/uksl/in.php 

- Detection rate: PhotoArchive.exe ([4]Trojan- 
Spy.Win32.Zbot); dropped file.exe ([5]Trojan- 
Spy.Win32.Zbot) 

Upon execution, it drops 
C:\WINDOWS\system32\sdra64.exe; 
C:\WINDOWS\system32\lowseckslashuser.ds.lll and 

phones back to the [6]Zeus-crimeware serving: horosta 
.ru/cbd/nekovo.bri ; horosta .ru/ip.php - 109.95.115.19 

Email: bernardo_pr@inbox.ru 

Who's offering the hosting infrastructure for the actual 
domains/malware binaries and nameservers? 

- [7]AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - 
[8]profiled here 


- [9]109.95.112.0/22 - [10]AS50369 - VISHCLUB-as 
Kanyovskiy Andriy Yuriyovich 



- 193.104.41.0/24 - [11]AS49934 - VVPN-AS PE Voronov 
Evgen Sergiyovich 

- [12]91.200.164.0/22 - [13]AS47560 - VESTEH-NET-as 
Vesteh LLC 

What's worth pointing out is that 11 TROYAK-AS Starchenko 
Roman Fedorovich" is positioning itself as 

[ 14]Ethernet,home,LAN,net,provider,ISP,Homenet provider 

at [15]ctlan.net. 

Just like the 11 [16]Fake Web Fiost- 

ing Provider - Front-end to Sea re ware Blackhat SEO 
Campaign at Biogspot' and " [17]GazTranzitStroylnfo - a 
Fake Russian Gas Company Facilitating Cybercrime" 

All of the involved domains have already been blacklisted 
by the Zeus Tracker. However, with the campaign¬ 
ers at large, what's TROYAK-AS today, will be yet another 
cybecrime-friendly AS tomorrow. 
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21. http://ddanchev.blo as pot.com/2QQ9/12/pushdo- 
ini ectin a -bo a us-swine-f1u.html 

22. http://ddanchev.blo as pot.com/2QQ9/ll/vour-maiibox- 
has-been-deactivated-spam.html 

23. http://ddanchev.blo as pot.com/2QQ9/lQ/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

24. http://ddanchev.blo as pot.com/2QQ9/Q7/multitaskin a- 
fast-f1ux-botnet-that.html 


25. http://ddanchev.blo as pot.com/ 

26. http://twitter.com/danchodanchev 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

(2010-02-04 00:50) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 

keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model is 
crucial. The following are currently active blackhat SEO 
































redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 

buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 

skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 

bewareoffreebies .com - Email: test@now.net.cn 

harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 


Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 

manilawebcamera .com - Email: monkey22@live.com 

mumbaiwebcamera .com - Email: monkey22@live.com 

karachiwebcamera .com - Email: monkey22@live.com 

delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 


bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 


Upon redirection, the scareware is served from malware-b- 
scan .com -96.44.128.245; 91.212.226.97; 

91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup 
_312s2.exe - Result: 6/39 (15.39 %), [7]Setup 
_312s2.exe - Result: 1/40 (2.5 %), [8]Setup _312s2.exe - 
Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 
(7.7 %). [10]Setup _312s2.exe - Result: 4/40 (10 %), 
[ll]Setup _312s2.exe - Result: 1/40 (2.5 %), [12]Setup 
_312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe 
- Result: 5/41 (12.2 %), [14]Setup _312s2.exe - Result: 
5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 
%), [16]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[17]Setup _312s2.exe - Result: 4/41 (9.76 %), [18]Setup 
_312s2.exe - Result: 5/41 (12.2 %), [19]Setup 
_312s2.exe - Result: 4/41 (9.76 %), [20]Setup 
_312s2.exe - Result: 3/41 (7.32 %), [21]Setup 
_312s2.exe - Result: 6/41 (14.63 %). 

Upon execution the sample phones back to winxp7server 
.com/download/winlogo.bmp - 94.228.208.57; 
rescuesy-supdate .com/?b=312s2 - 83.133.125.216. 
The most recent samples ( Wednesday, February 10, 2010) 
phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver 
.com/download/winlogo.bmp 



- 94.228.208.57. 


The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 

The 

most 

recent 

samples 

( Friday, 

February 

12 , 

2010 ) 

phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 

195.5.161.107/psxl/?vih = = RAND0M STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protectionl5scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 
z2-antispyware .com - Email: test@now.net.cn 
spy-detectore .com - Email: admin@clossingt.com 
dis7-antivirus .com - Email: admin@vertigosmart.com 
v2comp-scanner .com - Email: admin@vertigosmart.com 
new-av-scannere .com - Email: missbarlingmail@aol.com 
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smartvirus-scan6 .com - Email: info@terranova.com 
spywaremaxscan4 .com - Email: out@trialzoom.com 


super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 

6- antivirus .com - Email: call555call@live.com 

7- antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 



ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscanl .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
bl-online-scanner .com - Email: stellar2@yahoo.com 



best-antiviruskO .com 


bestpd-virusscanner .com - Email: 

SusanCWag ner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 
crystal-spyscanner .com - Email: mail@vertigocats.com 
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crystal-threatscanner .com - Email: 
mail@vertigocats.com 

crystal-virusscanner .com - Email: mail@vertigocats.com 
extra-spyware-defencea .com - Email: fabula8@live.com 
extra-spyware-defenceb .com - Email: fabula8@live.com 
malware-a-scan .com - Email: mail@bristonnews.com 
malware-b-scan .com - Email: mail@bristonnews.com 
malware-c-scan .com - Email: mail@bristonnews.com 
malware-d-scan .com - Email: mail@bristonnews.com 
malware-t-scan .com - Email: mail@bristonnews.com 



mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusq .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusw .com - Email: 
dillinzerl@yahoo.com 

my-computer-scanc .com - Email: 
clintommail2@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannera .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 



my-computer-scannern .com - Email: 
cl intommai l2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 
nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
proO-system-scanner .com - Email: JayRKibbe@live.com 



prol-system-scanner .com - Email: JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 

remote-antispywaree .com - Email: 
teresa2mail.me@live.com 
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remote-antispywarey .com - Email: 
teresa2mail.me@live.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannera .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 


remote-pc-scannery .com - Email: 
teresa2mail.me@l ive.com 

scan3antispyware .com - Email: o@mozzilastuf.com 

scan6antispyware .com - Email: o@mozzilastuf.com 

scan8antispyware .com - Email: o@mozzilastuf.com 

scan-antispywarea .com - Email: o@mozzilastuf.com 

scan-antispywarec .com - Email: o@mozzilastuf.com 

scan-antispywared .com - Email: o@mozzilastuf.com 

scan-antispywarez .com - Email: o@mozzilastuf.com 

spyware-01-scanner .com - Email: 
mail@bristonnews.com 

spyware-03-scanner .com - Email: 
mail@bristonnews.com 

spyware-05-scanner .com - Email: 
mail@bristonnews.com 

spyware-06-scanner .com - Email: 
mail@bristonnews.com 

spyware-07-scanner .com - Email: 
mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 



stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 
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stcanning-your-pca .com - Email: mitra66@yahoo.com 

stcanning-your-pcb .com - Email: mitra66@yahoo.com 

stcanning-your-pcc .com - Email: mitra66@yahoo.com 

stcanning-your-pcd .com - Email: mitra66@yahoo.com 

stcanning-your-pce .com - Email: mitra66@yahoo.com 

stealthvl-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv2-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 



ver2-system-scanner .com - Email: JayRKibbe@live.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

windowsv5-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv6-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 


zO-online-scanner .com - Email: stellar2@yahoo.com 



zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [22]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 

download-free-files .org - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .org - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .org - Email: 
michaeltycoon@gmail.com 

scanner-virus-free .com - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .com - Email: 
robertsimonkroon@gmail.com 


scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 

antispy-download .info - Email: 
robertsimonkroon@gmail.com 

soft-download-free .info - Email: 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 

adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 

scanner-free-virus .net - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .net - Email: 
robertsimonkroon@gmail.com 



ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

soft-download-free .biz - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsimonkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsimonkroon@gmail.com 

download-free-soft .biz - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .biz - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 


alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .org - Email: 
robertsimonkroon@gmail.com 

download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 

download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 


kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 

scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 



tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .net - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: 
robertsimonkroon@gmail.com 

tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 

What's so special about the 

robertsimonkroon@gmail.com email anyway? 

It's the fact that not only was 

[23]the email was once again used to register [24]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's M [25]Koobface Botnet's Scareware 
Business Model - Part Two", the same email was used to 
register the following download locations for scareware 
domains pushed by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 

6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail. com 



6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 

7cib5fzf462g8 .cn - Email: robertsimonkroon@gmaii.com 

7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmaii.com 

kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 

q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 

rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 

tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 

4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 

kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 

hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 

mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: 
robertsimon kroon@g mail, com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmail.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: 
robertsimon kroon@g mail, com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 



7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmaii.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail. com 

od32qjx6meqos .cn - Email: 
robertsimonkroon@gmail. com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 

the entire January, 2010 - descriptive historical 
OSINT offers long-term value in cross-checking for 
connections. 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

( 2010 - 02-04 00 : 50 ) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 

keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model is 
crucial. The following are currently active blackhat SEO 
redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

freeticketwin.com - 91.212.226.25 - Email: 
test@now.net.cn 

lotteryvideowin.com - Email: test@now.net.cn 

videohototplaypoker.com - Email: test@now.net.cn 

financetopsecrets.com - Email: test@now.net.cn 

how2winforex.com - 91.212.226.136 - Email: 
test@now.net.cn 

2money4money.com - Email: test@now.net.cn 

get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 

buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 

skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 
pretendtolove .com - Email: test@now.net.cn 


bewareoffreebies .com - Email: test@now.net.cn 

harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 
mumbaiwebcamera .com - Email: monkey22@live.com 


karachiwebcamera .com - Email: monkey22@live.com 

delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 

Upon redirection, the scareware is served from malware-b- 
scan .com - 96.44.128.245; 91.212.226.97; 

91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup 
_312s2.exe - Result: 6/39 (15.39 %), [7]Setup 
_312s2.exe - Result: 1/40 (2.5 %), [8]Setup _312s2.exe - 
Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 
(7.7 %). [10]Setup _312s2.exe - Result: 4/40 (10 %), 
[lljSetup _312s2.exe - Result: 1/40 (2.5 %), [12]Setup 
_312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe 
- Result: 5/41 (12.2 %), [14]Setup _312s2.exe - Result: 
5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 
%), [16]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[17]Setup _312s2.exe - Result: 4/41 (9.76 %), [18]Setup 
312s2.exe - Result: 5/41 (12.2 %), 



[19]Setup _312s2.exe - Result: 4/41 (9.76 %), [20]Setup 
_312s2.exe - Result: 3/41 (7.32 %), [21]Setup 
_312s2.exe 

- Result: 6/41 (14.63 %), [22]Setup _312s2.exe - Result: 
11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 
(9.53 %). 

Upon execution the sample phones back to winxp7server 
.com/download/winlogo.bmp - 94.228.208.57; 
rescuesy-supdate .com/?b=312s2 - 83.133.125.216. 
The most recent samples ( Wednesday, February 10, 2010) 
phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver 
.com/download/winlogo.bmp 

- 94.228.208.57. 

The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 

The 

most 

recent 

samples 

( Friday, 



February 

12 , 

2010 ) 

phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75. 

The most recent samples ( Wednesday, February 24, 2010) 
phone back to 

shifustserver.com/download/winlogo.bmp 

- 94.228.208.57 - Email: viinzer@hotmail.com and version- 
upgrade. com/?b=312sl2 - 89.248.168.21. Parked on the 

same IP are also checklatestversion.com and 
fastwinupdates.com. 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 

interlantivirus.com - 87.98.130.232- Email: 
test@now.net.cn 

virus-scan-d.com - 87.98.130.232 - Email: 
test@now.net.cn 


bl9-virus-scanner.com - 87.98.130.232 - Email: 
test@now.net.cn 

intera-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interc-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interd-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

intere-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

inter-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interlantivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

195.5.161.107/psxl/?vih = = RAND0M STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
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zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protection!5scan .com - Email: test@now.net.cn 



nitro-antispyware .com - Email: test@now.net.cn 

z2-antispyware .com - Email: test@now.net.cn 

spy-detectore .com - Email: admin@clossingt.com 

dis7-antivirus .com - Email: admin@vertigosmart.com 

v2comp-scanner .com - Email: admin@vertigosmart.com 

new-av-scannere .com - Email: missbarlingmail@aol.com 

smartvirus-scan6 .com - Email: info@terranova.com 

spywaremaxscan4 .com - Email: out@trialzoom.com 

super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 
6-antivirus .com - Email: call555call@live.com 



7-antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscanl .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 



army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
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bl-online-scanner .com - Email: stellar2@yahoo.com 

best-antiviruskO .com 

bestpd-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 

crystal-antivirus .com - Email: mail@vertigocats.com 

crystal-pro-scan .com - Email: mail@vertigocats.com 

crystal-pro-scanner .com - Email: mail@vertigocats.com 

crystal-spyscanner .com - Email: mail@vertigocats.com 

crystal-threatscanner .com - Email: 
mail@vertigocats.com 



crystal-virusscanner .com - Email: mail@vertigocats.com 

extra-spyware-defencea .com - Email: fabula8@live.com 

extra-spyware-defenceb .com - Email: fabula8@live.com 

malware-a-scan .com - Email: mail@bristonnews.com 

malware-b-scan .com - Email: mail@bristonnews.com 

malware-c-scan .com - Email: mail@bristonnews.com 

malware-d-scan .com - Email: mail@bristonnews.com 

malware-t-scan .com - Email: mail@bristonnews.com 

mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusq .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusw .com - Email: 
dillinzerl@yahoo.com 



my-computer-scanc .com - Email: 
cl intommai l2@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannera .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 

my-computer-scannern .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 



nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
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proO-system-scanner .com - Email: JayRKibbe@live.com 

prol-system-scanner .com - Email:JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 


remote-antispywaree .com - Email: 
teresa2mail.me@l ive.com 

remote-antispywarey .com - Email: 
teresa2mail.me@l ive.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@l ive.com 

remote-pc-scannera .com - Email: 
teresa2 mail, me@live.com 

remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannery .com - Email: 
teresa2mail.me@live.com 

scan3antispyware .com - Email: o@mozzilastuf.com 

scan6antispyware .com - Email: o@mozzilastuf.com 

scan8antispyware .com - Email: o@mozzilastuf.com 

scan-antispywarea .com - Email: o@mozzilastuf.com 

scan-antispywarec .com - Email: o@mozzilastuf.com 

scan-antispywared .com - Email: o@mozzilastuf.com 

scan-antispywarez .com - Email: o@mozzilastuf.com 

spyware-01-scanner .com - Email: 
mail@bristonnews.com 
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spyware-03-scanner .com - Email: 
mai l@bristonnews.com 

spyware-05-scanner .com - Email: 
mail@bristonnews.com 

spyware-06-scanner .com - Email: 
mail@bristonnews.com 

spyware-07-scanner .com - Email: 
mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 

stcanning-your-pca .com - Email: mitra66@yahoo.com 
stcanning-your-pcb .com - Email: mitra66@yahoo.com 
stcanning-your-pcc .com - Email: mitra66@yahoo.com 
stcanning-your-pcd .com - Email: mitra66@yahoo.com 
stcanning-your-pce .com - Email: mitra66@yahoo.com 



stealthvl-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

stealthv2-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 
ver2-system-scanner .com - Email: JayRKibbe@live.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 
virus-cl-scanner .com - Email: mail@bristonnews.com 
virus-cl-scanner .com - Email: mail@bristonnews.com 
virus-dl-scanner .com - Email: mail@bristonnews.com 
virus-dl-scanner .com - Email: mail@bristonnews.com 
virus-e2-scanner .com - Email: mail@bristonnews.com 
virus-e2-scanner .com - Email: mail@bristonnews.com 



windowsv5-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

windowsv6-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

zO-online-scanner .com - Email: stellar2@yahoo.com 
zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [24]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 


download-free-files .org - Email: 
robertsi monkroon@gmail.com 

tube-porn-best .org - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .org - Email: 
michaeltycoon@gmail.com 

scanner-virus-free .com - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .com - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 

antispy-download .info - Email: 
robertsimonkroon@gmail.com 

soft-download-free .info - Email 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 



adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 

scanner-free-virus .net - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .net - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

soft-download-free .biz - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsimonkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsimonkroon@gmail.com 

download-free-soft .biz - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .biz - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 

porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 

alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .org - Email: 
robertsimonkroon@gmail.com 

download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 


download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 

kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 


scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 


spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .net - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: 
robertsimonkroon@gmail.com 

tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 

What's so special about the 

robertsimonkroon@gmail.com email anyway? 



It's the fact that not only was 

[25]the email was once again used to register [26]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's M [27]Koobface Botnet's Scareware 
Business Model - Part Two", the same email was used to 
register the following download locations for scareware 
domains pushed by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 

6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail. com 

6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 



mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: 
robertsimon kroon@g mail. com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmaii.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: 
robertsimon kroon@g mail, com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimon kroon@g mail, com 

od32qjx6meqos .cn - Email: 
robertsimon kroon @g mail, com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 



the entire January, 2010 - descriptive historical 
OSINT offers long-term value in cross-checking for 
connections. 

Related Koobface gang/botnet research: 

[28] How the Koobface Gang Monetizes Mac OS X Traffic 

[29] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[30] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[31] Koobface Botnet Starts Serving Client-Side Exploits 

[32] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[33] Koobface Botnet's Scareware Business Model - Part Two 

[34] Koobface Botnet's Scareware Business Model - Part One 
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[35] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[36] New Koobface campaign spoofs Adobe's Flash updater 

[37] Social engineering tactics of the Koobface botnet 

[38] Koobface Botnet Dissected in a TrendMicro Report 

[39] Movement on the Koobface Front - Part Two 

[40] Movement on the Koobface Front 



[41] Koobface - Come Out, Come Out, Wherever You Are 

[42] Dissecting Koobface Worm's Twitter Campaign 

The Diverse Portfolio of Fake Security Software 
Series: 

[43] A Diverse Portfolio of Fake Security Software - Part 
Twenty Four 

[44] A Diverse Portfolio of Fake Security Software - Part 
Twenty Three 

[45] A Diverse Portfolio of Fake Security Software - Part 
Twenty Two 

[46] A Diverse Portfolio of Fake Security Software - Part 
Twenty One 

[47] A Diverse Portfolio of Fake Security Software - Part 
Twenty 

[48] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 

[49] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[50] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 

[51] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[52] A Diverse Portfolio of Fake Security Software - Part 
Fifteen 



[53] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[54] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[55] A Diverse Portfolio of Fake Security Software - Part 
Twelve 

[56] A Diverse Portfolio of Fake Security Software - Part 
Eleven 

[57] A Diverse Portfolio of Fake Security Software - Part Ten 

[58] A Diverse Portfolio of Fake Security Software - Part Nine 

[59] A Diverse Portfolio of Fake Security Software - Part Eight 

[60] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[61] A Diverse Portfolio of Fake Security Software - Part Six 

[62] A Diverse Portfolio of Fake Security Software - Part Five 

[63] A Diverse Portfolio of Fake Security Software - Part Four 

[64] A Diverse Portfolio of Fake Security Software - Part Three 

[65] A Diverse Portfolio of Fake Security Software - Part Two 

[66] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [67]Dancho Danchev's 
blog. Follow him [68]on Twitter. 
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http://www.virustotal.com/analisis/5122cef5ff65e00212c29c 
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78417 
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Qba450d943da9836b5d3flb3612683d9fcbec5b75fd-12659 
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00454 
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http://www.virustotal.com/analisis/5a4a50d2e4al023a8b80 

f2fb2bb68b31ebbf71b6a5127018e9656da6a0cl0cfd- 


12660 
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6eb7acde49938ed21clb52ac6ec70594595060e470-12669 

69210 

23. 
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koobface-worms-twitter.html 
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43. http://ddanchev.blo as pot.com/20Q9/12/diverse- 
portfolio-of-fake-securitv.html 

44. http://ddanchev.blo as pot.com/20Q9/Q7/diverse- 
portfolio-of-fake-securitv 27.html 

45. http://ddanchev.blo as pot.com/2QQ9/Q7/diverse- 
portfono-of-fake-securitv.html 

46. http://ddanchev.blo as pot.com/2QQ9/Q6/diverse- 
portfo l ro-of-fake-securitv.html 

47. http://ddanchev.blo as pot.com/2QQ9/Q5/diverse- 
portfolio-of-fake-securitv.html 

48. http://ddanchev.blo as pot.com/20Q9/Q4/diverse- 
portfolio-of-fake-securitv 16.html 

49. http://ddanchev.blo as pot.com/2QQ9/Q4/diverse- 
portfolio-of-fake-securitv.html 















































50. http://ddanchev.blo as DOt.com/2009/Q3/diverse- 
portfoliio-of-fake-securitv 31.html 

51. http://ddanchev.blo as pot.com/2009/Q3/diverse- 
portfolio-of-fake-securitv.html 

52. http://ddanchev.blo as pot.com/2009/Q2/diverse- 
portfono-of-fake-securitv.html 

53. http://ddanchev.blo as pot.com/20Q9/01/diverse- 
portfolio-of-fake-securitv.html 

54. http://ddanchev.blo as pot.com/20Q8/ll/diverse- 
portfolio-of-fake-securitv 12.html 

55. http://ddanchev.blo as pot.com/20Q8/ll/diverse- 
portfolio-of-fake-securitv.html 

56. http://ddanchev.blo as pot.com/20Q8/10/diverse- 
portfolio-of-fake-securitv 28.html 

57. http://ddanchev.blo as pot.com/20Q8/10/diverse- 
portfolio-of-fake-securitv 22.html 

58. http://ddanchev.blo as pot.com/20Q8/10/diverse- 
portfolio-of-fake-securitv 16.html 

59. http://ddanchev.blo as pot.com/20Q8/10/diverse- 
portfolio-of-fake-securitv.html 

60. http://ddanchev.blo as pot.com/2008/Q9/diverse- 
portfoiro-of-fake-securitv 30.html 

61. http://ddanchev.blo as pot.com/2008/Q9/diverse- 
portfol!o-of-fake-securitv 24.html 

62. http://ddanchev.blo as pot.com/2008/Q9/diverse- 
portfolio-of-fake-securitv.html 






















































63. http://ddanchev.blo as DOt.com/2QQ8/Q8/diverse- 
portfoliio-of-fake-securitv 25.html 


64. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv 20.html 

65. http://ddanchev.blo as pot.com/2QQ8/Q8/diverse- 
portfolio-of-fake-securitv.html 

66. http://ddanchev.blo as pot.com/2QQ7/12/diverse- 
portfolio-of-fake-securitv.html 

67. http://ddanchev.blo as pot.com/ 

68. http://twitter.com/danchodanchev 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

( 2010 - 02-04 00 : 50 ) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 

keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model is 
crucial. The following are currently active blackhat SEO 
redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

freeticketwin.com - 91.212.226.25 - Email: 
test@now.net.cn 

lotteryvideowin.com - Email: test@now.net.cn 

videohototplaypoker.com - Email: test@now.net.cn 

financetopsecrets.com - Email: test@now.net.cn 

how2winforex.com - 91.212.226.136 - Email: 
test@now.net.cn 

2money4money.com - Email: test@now.net.cn 

get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 

buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 

skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 
pretendtolove .com - Email: test@now.net.cn 
bewareoffreebies .com - Email: test@now.net.cn 



harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 
mumbaiwebcamera .com - Email: monkey22@live.com 
karachiwebcamera .com - Email: monkey22@live.com 


delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 

Upon redirection, the scareware is served from malware-b- 
scan .com - 96.44.128.245; 91.212.226.97; 
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91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 

Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup 
_312s2.exe - Result: 6/39 (15.39 %), [7]Setup 
_312s2.exe - Result: 1/40 (2.5 %), [8]Setup _312s2.exe - 
Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 
(7.7 %). [10]Setup _312s2.exe - Result: 4/40 (10 %), 
[lljSetup _312s2.exe - Result: 1/40 (2.5 %), [12]Setup 
_312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe 
- Result: 5/41 (12.2 %), [14]Setup _312s2.exe - Result: 
5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 
%), [16]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[17]Setup _312s2.exe - Result: 4/41 (9.76 %), [18]Setup 
312s2.exe - Result: 5/41 (12.2 %), 



[19]Setup _312s2.exe - Result: 4/41 (9.76 %), [20]Setup 
_312s2.exe - Result: 3/41 (7.32 %), [21]Setup 
_312s2.exe 

- Result: 6/41 (14.63 %), [22]Setup _312s2.exe - Result: 
11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 
(9.53 %). 

Upon execution the sample phones back to winxp7server 
.com/download/winlogo.bmp - 94.228.208.57; 
rescuesy-supdate .com/?b=312s2 - 83.133.125.216. 
The most recent samples ( Wednesday, February 10, 2010) 
phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver 
.com/download/winlogo.bmp 

- 94.228.208.57. 

The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 

The 

most 

recent 

samples 

( Friday, 



February 

12 , 

2010 ) 

phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75. 

The most recent samples ( Wednesday, February 24, 2010) 
phone back to 

shifustserver.com/download/winlogo.bmp 

- 94.228.208.57 - Email: viinzer@hotmail.com and version- 
upgrade. com/?b=312sl2 - 89.248.168.21. Parked on the 

same IP are also checklatestversion.com and 
fastwinupdates.com. 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 

interlantivirus.com - 87.98.130.232- Email: 
test@now.net.cn 

virus-scan-d.com - 87.98.130.232 - Email: 
test@now.net.cn 


bl9-virus-scanner.com - 87.98.130.232 - Email: 
test@now.net.cn 

intera-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interc-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interd-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

intere-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

inter-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interlantivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

195.5.161.107/psxl/?vih = = RAND0M STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
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zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protection!5scan .com - Email: test@now.net.cn 



nitro-antispyware .com - Email: test@now.net.cn 

z2-antispyware .com - Email: test@now.net.cn 

spy-detectore .com - Email: admin@clossingt.com 

dis7-antivirus .com - Email: admin@vertigosmart.com 

v2comp-scanner .com - Email: admin@vertigosmart.com 

new-av-scannere .com - Email: missbarlingmail@aol.com 

smartvirus-scan6 .com - Email: info@terranova.com 

spywaremaxscan4 .com - Email: out@trialzoom.com 

super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 
6-antivirus .com - Email: call555call@live.com 



7-antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscanl .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 



army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
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bl-online-scanner .com - Email: stellar2@yahoo.com 

best-antiviruskO .com 

bestpd-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 

crystal-antivirus .com - Email: mail@vertigocats.com 

crystal-pro-scan .com - Email: mail@vertigocats.com 

crystal-pro-scanner .com - Email: mail@vertigocats.com 

crystal-spyscanner .com - Email: mail@vertigocats.com 

crystal-threatscanner .com - Email: 
mail@vertigocats.com 



crystal-virusscanner .com - Email: mail@vertigocats.com 

extra-spyware-defencea .com - Email: fabula8@live.com 

extra-spyware-defenceb .com - Email: fabula8@live.com 

malware-a-scan .com - Email: mail@bristonnews.com 

malware-b-scan .com - Email: mail@bristonnews.com 

malware-c-scan .com - Email: mail@bristonnews.com 

malware-d-scan .com - Email: mail@bristonnews.com 

malware-t-scan .com - Email: mail@bristonnews.com 

mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusq .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusw .com - Email: 
dillinzerl@yahoo.com 



my-computer-scanc .com - Email: 
cl intommai l2@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannera .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 

my-computer-scannern .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 



nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
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proO-system-scanner .com - Email: JayRKibbe@live.com 

prol-system-scanner .com - Email:JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 


remote-antispywaree .com - Email: 
teresa2mail.me@l ive.com 

remote-antispywarey .com - Email: 
teresa2mail.me@l ive.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@l ive.com 

remote-pc-scannera .com - Email: 
teresa2 mail, me@live.com 

remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannery .com - Email: 
teresa2mail.me@live.com 

scan3antispyware .com - Email: o@mozzilastuf.com 

scan6antispyware .com - Email: o@mozzilastuf.com 

scan8antispyware .com - Email: o@mozzilastuf.com 

scan-antispywarea .com - Email: o@mozzilastuf.com 

scan-antispywarec .com - Email: o@mozzilastuf.com 

scan-antispywared .com - Email: o@mozzilastuf.com 

scan-antispywarez .com - Email: o@mozzilastuf.com 

spyware-01-scanner .com - Email: 
mail@bristonnews.com 
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spyware-03-scanner .com - Email: 
mai l@bristonnews.com 

spyware-05-scanner .com - Email: 
mail@bristonnews.com 

spyware-06-scanner .com - Email: 
mail@bristonnews.com 

spyware-07-scanner .com - Email: 
mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 

stcanning-your-pca .com - Email: mitra66@yahoo.com 
stcanning-your-pcb .com - Email: mitra66@yahoo.com 
stcanning-your-pcc .com - Email: mitra66@yahoo.com 
stcanning-your-pcd .com - Email: mitra66@yahoo.com 
stcanning-your-pce .com - Email: mitra66@yahoo.com 



stealthvl-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

stealthv2-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 
ver2-system-scanner .com - Email: JayRKibbe@live.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 
virus-cl-scanner .com - Email: mail@bristonnews.com 
virus-cl-scanner .com - Email: mail@bristonnews.com 
virus-dl-scanner .com - Email: mail@bristonnews.com 
virus-dl-scanner .com - Email: mail@bristonnews.com 
virus-e2-scanner .com - Email: mail@bristonnews.com 
virus-e2-scanner .com - Email: mail@bristonnews.com 



windowsv5-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

windowsv6-antispyware .com - Email: 

SteveLCartwri ght@yahoo.com 

windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

zO-online-scanner .com - Email: stellar2@yahoo.com 
zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [24]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 


download-free-files .org - Email: 
robertsi monkroon@gmail.com 

tube-porn-best .org - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .org - Email: 
michaeltycoon@gmail.com 

scanner-virus-free .com - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .com - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 

antispy-download .info - Email: 
robertsimonkroon@gmail.com 

soft-download-free .info - Email 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 



adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 

scanner-free-virus .net - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .net - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

soft-download-free .biz - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsimonkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsimonkroon@gmail.com 

download-free-soft .biz - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .biz - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 

porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 

alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .org - Email: 
robertsimonkroon@gmail.com 

download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 


download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 

kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 


scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .net - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: 
robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: 
robertsimonkroon@gmail.com 

tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 

What's so special about the 

robertsimonkroon@gmail.com email anyway? 



It's the fact that not only was 

[25]the email was once again used to register [26]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's M [27]Koobface Botnet's Scareware 
Business Model - Part Two", the same email was used to 
register the following download locations for scareware 
domains pushed by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 

6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 

mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 

84u9wb2hsh4p6 .cn - Email: 
robertsimonkroon@gmail. com 

6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 



mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: 
robertsimon kroon@g mail. com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmaii.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: 
robertsimon kroon@g mail, com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimon kroon@g mail, com 

od32qjx6meqos .cn - Email: 
robertsimon kroon @g mail, com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 



the entire January, 2010 - descriptive historical 
OSINT offers long-term value in cross-checking for 
connections. 

Related Koobface gang/botnet research: 

[28] How the Koobface Gang Monetizes Mac OS X Traffic 

[29] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[30] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[31] Koobface Botnet Starts Serving Client-Side Exploits 

[32] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[33] Koobface Botnet's Scareware Business Model - Part Two 

[34] Koobface Botnet's Scareware Business Model - Part One 
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[35] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[36] New Koobface campaign spoofs Adobe's Flash updater 

[37] Social engineering tactics of the Koobface botnet 

[38] Koobface Botnet Dissected in a TrendMicro Report 

[39] Movement on the Koobface Front - Part Two 

[40] Movement on the Koobface Front 



[41] Koobface - Come Out, Come Out, Wherever You Are 

[42] Dissecting Koobface Worm's Twitter Campaign 

The Diverse Portfolio of Fake Security Software 
Series: 

[43] A Diverse Portfolio of Fake Security Software - Part 
Twenty Four 

[44] A Diverse Portfolio of Fake Security Software - Part 
Twenty Three 

[45] A Diverse Portfolio of Fake Security Software - Part 
Twenty Two 

[46] A Diverse Portfolio of Fake Security Software - Part 
Twenty One 

[47] A Diverse Portfolio of Fake Security Software - Part 
Twenty 

[48] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 

[49] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[50] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 

[51] A Diverse Portfolio of Fake Security Software - Part 
Sixteen 

[52] A Diverse Portfolio of Fake Security Software - Part 
Fifteen 



[53] A Diverse Portfolio of Fake Security Software - Part 
Fourteen 

[54] A Diverse Portfolio of Fake Security Software - Part 
Thirteen 

[55] A Diverse Portfolio of Fake Security Software - Part 
Twelve 

[56] A Diverse Portfolio of Fake Security Software - Part 
Eleven 

[57] A Diverse Portfolio of Fake Security Software - Part Ten 

[58] A Diverse Portfolio of Fake Security Software - Part Nine 

[59] A Diverse Portfolio of Fake Security Software - Part Eight 

[60] A Diverse Portfolio of Fake Security Software - Part 
Seven 

[61] A Diverse Portfolio of Fake Security Software - Part Six 

[62] A Diverse Portfolio of Fake Security Software - Part Five 

[63] A Diverse Portfolio of Fake Security Software - Part Four 

[64] A Diverse Portfolio of Fake Security Software - Part Three 

[65] A Diverse Portfolio of Fake Security Software - Part Two 

[66] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [67]Dancho Danchev's 
blog. Follow him [68]on Twitter. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Two (2010-02-09 20:17) 

With [l]money mule recruitment syndicates continuing to 
expand their [2]geographically diverse inventories of 

gullible mules, keeping their operations on a short leash is 
becoming a tradition. What the non-existent organizations 
profiled in this post have in common with the non-existent 
organizations profiled before, is the vendor of money mule 
recruitment creative, thanks to whose standardization of the 
recruitment process, everyone willing to invest a modest 
amount of money can start recruiting. 

Despite [3]the ongoing mix of [4]abusing legitimate 
infrastructure ( [5]Web 2.0 services, dedicated hosting 
within legitimate ISPs - [6]Tweet 1; [7]Tweet 2; [8]Tweet 3; 
[9]Tweet 4; [lOJTweet 5; [llJTweet 6) and using purely 





















malicious infrastructure, centralization is cybecrime 
operations is still an inseparable part of the cybercrime 
ecosystem. 

Case in point is [12]AS47560 - [13]VESTEH-NET-as Vesteh 
LLC, where the cybercriminals have not only chosen 

to host their money mule recruitment domain portfolio, but 
also, the actual Zeus crimeware command and control 



servers. Pretty convenient indeed, however a minimalistic 
OPSEC attitude leading to increased exposure. 

The newly introduced money mule recruitment domains, 
rely on the same DIY web interface, and the same 

"payment processing agent" agreement seen in previous 
campaigns. What's naturally changing are the web page 
layouts combined with a new description of the non-existent 
company. Here's a sample from the currently active ones: 
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"Welcome to the world of Outsourcing. Never has a 
phenomenon been so all encompassing and empowering 
like outsourcing. Transcending beyond an industry's vertical 
segments, outsourcing has become the "by default" 
strategy for ail profit conscious organizations that struggle 
to retain their winning streak and high profitability. Today's 
scenario in the business world is more competitive than 
what it was in the past. There is a growing realization that 
wisdom lies in consolidating the core competency functions 
and outsourcing the supplement. We are an online services 
marketplace in USA and Australia. Our goal is to empower 
businesses with the absolute freedom to choose where to 
outsource their business needs to maximize their 
competitive advantage. We believe that "money saved due 
to outsourcing can be effectively and successfully utilized to 
focus more on strategic and core businesses functions". 

The fact that money mule recruiters aggregate contact 
details from career building web sites, isn't new - see 

"[14]Major career web sites hit by spammers attack". 

Here are the [15]sample letters emailed to a prospective 
money mule, which [16]spotted the scam and avoided it: 
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"After reviewing your resume online we have decided to 
propose you a Payment Processing Agent vacancy 

My name is Sarah Forbes and I'm working at SUCCESS 
Group Inc. Our company is a well-known one. It was 

founded in the USA and deals mainly with recruitment of IT 
professionals. The job we offer is a part-time position with a 
flexible schedule. On average the working hours are 2-3 
hours a day (Monday through Friday). Our job requirements: 
Internet access and e-mail. Successful applicants are 
offered a probationary period (30 days). AH agents get a 
training and online support. We evaluate the employees at 
least one week prior to the end of their trial period. NOTE: 
During the probationary period termination can be 
recommended by the supervisor. 

The pay is $2,300 per month during the Trial Period + 8 % 
commission from each successfully handled pay¬ 
ment. Total income is about $4,500 per month. After the 
first 30 days your base salary will be increased up to $3,000 
a month. NOTE: After the probationary period you may 
request additional assignments or proceed a 

full-time. If you are interested in the offer, please, contact 
me at success.sarah.forbes@googlemail.com for the details. 

FORM FORM FORM 


First name: 


Last name: 








Country of residence: _ 

Contact phone: _ 

Preferred catime: _ 

_ FORM _ FORM _ FORM _ _ 

Our representatives will reply within 48 hours. NOTE: This is 
not a sales position. 

Sincerely , 

Sarah Forbes 

SUCCESS Group Inc 

job@success-groupinc. tw 

Phone: 1-585-267-5988 

Fax: 1-585-672-6137" 

Let's expose the domain portfolios in question. 
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Active money mule recruitment sites parked within 
AS47560 - VESTEH-NET-as Vesteh LLC, at 91.200.164.18; 

91.200.164.19; 91.200.164.20; 91.200.164.21; and 
91.200.164.22 in particular: 

aurora-groupco .tw - Email: dodo@fastermail.ru 

aurora-groupco .ws - Email: info@gtec.ru 









aurora-groupinc .tw - Email: cents@qx8.ru 
aurora-groupinc .ws - Email: info@gtec.ru 
bear-groupco .ws - Email: info@gtec.ru 
bear-groupinc .ws - Email: info@gtec.ru 
citizen-groupco .tw - Email: sane@qx8.ru 
citizen-groupco .ws - Email: info@gtec.ru 
citizengroupinc .ws - Email: info@gtec.ru 
citizen-groupsvc .tw - Email: frown@fastermail.ru 
classic-groupco .ws - Email: info@gtec.ru 
classicgroupinc .ws - Email: info@gtec.ru 
classic-groupsvc .tw - Email: haste@fastermail.ru 
excel-groupco .tw - Email: thaws@bigmailbox.ru 
excel-groupinc .tw - Email: thaws@bigmailbox.ru 
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excel-groupinc .ws - Email: info@gtec.ru 
financial-groupco .tw - Email: think@maillife.ru 
financial-groupco .ws - Email: info@gtec.ru 
financial-groupinc .tw - Email: sane@qx8.ru 
financial-groupsvc .ws - Email: info@gtec.ru 
market-vision .tw - Email: place@bigmailbox.ru 



market-visioninc .ws - Email: info@gtec.ru 

measure-groupco .tw - Email: cents@qx8.ru 

measure-groupco .ws - Email: info@gtec.ru 

measure-groupinc .tw - Email: cents@qx8.ru 

measure-groupinc .ws - Email: info@gtec.ru 

millennium-groupco .tw - Email: thaws@bigmailbox.ru 

millennium-groupinc .ws - Email: info@gtec.ru 

millennium-groupsvc .tw - Email: thaws@bigmailbox.ru 

millennium-groupsvc .ws - Email: info@gtec.ru 

nuris-groupco .tw - Email: rips@fastermail.ru 

nuris-groupco .ws - Email: info@gtec.ru 

nuris-groupinc .tw - Email: rips@fastermail.ru 

nuris-groupinc .ws - Email: info@gtec.ru 

render-groupco .tw - Email: muggy@freenetbox.ru 

success-groupco .ws - Email: info@gtec.ru 

Naturally, it gets even more interesting with AS47560 - 
VESTEH-NET-as Vesteh LLC acting as a good example of 
cybercrime-friendly virtual neighborhood. Not only are the 
cybercriminals hosting the money mule recruitment sites 
there, but also, a decent number of Zeus crimeware C &Cs, 
client-side exploit serving campaigns are currently active 
there. 
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Zeus C &Cs active at [17]91.200.164.44, front pages retu 
"dsfkgjk rgkj ": 

justinnewl .com - Email: 3242dswewrf@yahoo.com 
justinnew2 .com - Email: 3242dswewrf@yahoo.com 
justinnew3 .com - Email: 3242dswewrf@yahoo.com 
justinnew4 .com - Email: 3242dswewrf@yahoo.com 
justinnew5 .com - Email: 3242dswewrf@yahoo.com 
justinnew6 .com - Email: 3242dswewrf@yahoo.com 
justinnew7 .com - Email: 3242dswewrf@yahoo.com 
justinnew8 .com - Email: 3242dswewrf@yahoo.com 
justinnew9 .com - Email: 3242dswewrf@yahoo.com 
justinnewlO .com - Email: 3242dswewrf@yahoo.com 
justinnewll .com - Email: 3242dswewrf@yahoo.com 
justinnewl2 .com - Email: 3242dswewrf@yahoo.com 
justinnewl2 .com - Email: 3242dswewrf@yahoo.com 
justinnewl3 .com - Email: 3242dswewrf@yahoo.com 
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justinnewl4 .com - Email: 3242dswewrf@yahoo.com 




justinnewl5 .com - Email: 3242dswewrf@yahoo.com 

justinnewl6 .com - Email: 3242dswewrf@yahoo.com 

justinnewl7 .com - Email: 3242dswewrf@yahoo.com 

justinnewl8 .com - Email: 3242dswewrf@yahoo.com 

justinnewl9 .com - Email: 3242dswewrf@yahoo.com 

justinnew20 .com - Email: 3242dswewrf@yahoo.com 

justinnew21 .com - Email: 3242dswewrf@yahoo.com 

justinnew22 .com - Email: 3242dswewrf@yahoo.com 

justinnew23 .com - Email: 3242dswewrf@yahoo.com 

justinnew24 .com - Email: 3242dswewrf@yahoo.com 

Historical OSINT of live exploit serving, malware phone back 
locations parked at 91.200.164.44: 

abecedarian .in - Email: jobmasterx@yahoo.com 

absinthial .in - Email: jobmasterx@yahoo.com 

acarine .in - Email: jobmasterx@yahoo.com 

aeruginous .in - Email: jobmasterx@yahoo.com 

agrestic .in - Email: jobmasterx@yahoo.com 

alveolate .in - Email: jobmasterx@yahoo.com 

anaclastic .in - Email: jobmasterx@yahoo.com 

anatine .in - Email: jobmasterx@yahoo.com 





anconoid .in - Email: jobmasterx@yahoo.com 
ancoral .in - Email: jobmasterx@yahoo.com 
anserine .in - Email: jobmasterx@yahoo.com 
archididascalian .in - Email: jobmasterx@yahoo.com 
arietine .in - Email: jobmasterx@yahoo.com 
babied .in - Email: jobmasterx@yahoo.com 
baffled .in - Email: jobmasterx@yahoo.com 
banal .in - Email: jobmasterx@yahoo.com 
barren .in - Email: jobmasterx@yahoo.com 
battle-worn .in - Email: jobmasterx@yahoo.com 
bawled .in - Email: jobmasterx@yahoo.com 
beatific .in - Email: jobmasterx@yahoo.com 
beckoned .in - Email: jobmasterx@yahoo.com 
betonomeshalkatraktor .in - Email: ynetsw@gmail.com 
fcaliber65 .in - Email: wert32@rambler.ru 
humpiiil .in - Email: wert32@rambler.ru 
izyvecheniyOtragladit .in - Email: ynetsw@gmail.com 
lifeberyt .in - Email: wert32@rambler.ru 
marrychristmasforyou .com - ACTIVE 
marrychristmasforyou .net - ACTIVE 



mylstdomain .in - Email: wert32@rambler.ru 
pingcrews .in - Email: jobmasterx@yahoo.com 
razymniygluk .in - Email: ynetsw@gmail.com 
rescservuce .in - Email: wert32@rambler.ru 
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Name servers of notice: 

dnsl.yekt.net - 67.15.47.189 

nsl.trythisok.cn - 89.248.166.45 - chunk@qx8.ru 

nsl.basilkey.ws - 89.248.166.45 - info@gtec.ru 

ns2.maninwhite.cc - 38.99.169.210 - duly@fastermail.ru 

ns2.mythinregion.ws - Email: info@gtec.ru 

ns2.partytimee.cn - 38.99.169.208 - Email: 
chunk@qx8.ru 

ns3.cnnandpizza.cc - 195.182.57.36 - Email: 
bears@fastermail.ru 

ns3.partymorning.ws - 94.23.114.71 - Email: 
info@gtec.ru 

Take a look at the routing graph for a moment. Who do we 
have here? Our "dear friends" at [18]AS5577 

ROOT eSolutions (also seen [19]here; [20]here; [21]here; 
[22]here; [23]here and [24]here) acting as a node to an 
ever expanding portfolio of malicious customers, with 


AS50215 Troyak-as Starchenko Roman Fedorovich 

part of the 

[25]Pushdo crimeware and [26]client-side exploit serving 
campaigns, [27]second in the list. 

AS47560 - VESTEH-NET-as Vesteh LLC has been notified, 
awaiting response/take down reaction. Or the lack of 

such. 

Related coverage of money laundering in the 
context of cybercrime: 

[28] Keeping Reshipping Mule Recruiters on a Short Leash 

[29] Keeping Money Mule Recruiters on a Short Leash 
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[30] Standardizing the Money Mule Recruitment Process 

[31] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[32] Money Mules Syndicate Actively Recruiting Since 2002 

[33] lnside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [34]Dancho Danchev's 
blog. Follow him [35Jon Twitter 

1. http://ddanchev.blo as DOt.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

2. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 










3. http://blo a s.zdnet.com/securit v/? p = 2293 


4. 

http://www.messa a elabs.com/mlireport/MLI_2Q10 01 lan_FI 
NAL EN. odf 

5. http://blo a s.zdnet.com/securit v/? p = 1514 

6. http://twitter.com/danchodanchev/status/86383117Q2 

7. http://twitter.com/danchodanchev/status/8638405085 

8. http://twitter.com/danchodanchev/status/8638505748 

9. http://twitter.com/danchodanchev/status/8638623148 

10. http://twitter.com/danchodanchev/status/8638713256 

11. http://twitter.com/danchodanchev/status/8638841565 

12. https://zeustracker.abuse.ch/monitor. ph p?as=47560 

13. http:// a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:4756Q 

14. http://blo a s.zdnet.com/securit v/? p=1085 

15. http://www.delphifaa.com/faa/scams/fl057.shtml?p = 22 

16. http://www.delphifaa.com/faa/scams/fl057.shtml?p = 22 

17. https://zeustracker.abuse.ch/monitor. php? 
i paddress=91.2QQ.164.44 

18. http://hphosts.blo as pot.com/2QQ9/ll/crimeware- 
friendlv-isps-root-esolut i ons.html 













































19. http://ddanchev.blo as pot.com/20Q9/12/koobface- 
friendlv-riccom-ltd-as29550.html 

20. http://ddanchev.blo as pot.com/2009/02/cost-of- 
anonvmizin a-c vbercriminals.html 

21. http://ddanchev.blo as pot.com/20Q9/12/diverse- 
portfoMo-of-fake-securitv.html 

22. http://ddanchev.blo as pot.com/2009/Q8/us-federal- 
forms-blackhat-seo-themed.html 


23. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


24. http://ddanchev.blo as pot.com/2009/Q5/diverse- 
oortfolio-of-fake-securitv.html 

25. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


26. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


27. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

28. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

29. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


30. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 


31. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 























































32. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

33. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a rouos-spammin a .html 

34. http://ddanchev.blo as oot.com/ 

35. http://twitter.com/danchodanchev 
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Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild (2010-02-11 22:19) 

A currently ongoing malware campaign courtesy of the gang 
that's been busy rotation themes over the past few 

weeks, has changed the theme to " You are in a higher tax 
bracket', and continues serving client-side exploits next to a 
Zeus crimeware sample using a bogus " You don't have the 
latest version of Macromedia Flash Player" error message. 

- Sample URL: repl031 .be/reports/getreport.php? 
email=email - Email: souchuck@yahoo.com. The following 

currently suspended domains are also involved - repl032 
.be; repl030.me .uk; repl031.me .uk; repl032.me 
.uk; repl030.co .uk; repl031.co .uk; repl032.co .uk; 
rep!043.me .uk; rep!041.co .uk; rep!032.co .uk 1020 


El 

- UPDATED: The most recently spamvertised domains 
include: 

















repl041 .kr - Email: Souchuck@yahoo.com 
repl042 .kr - Email: Souchuck@yahoo.com 
repl043 .kr - Email: Souchuck@yahoo.com 
repl044 .kr - Email: Souchuck@yahoo.com 
repl041.ne .kr - Email: Souchuck@yahoo.com 
repl042.ne .kr - Email: Souchuck@yahoo.com 
repl043.ne .kr - Email: Souchuck@yahoo.com 
repl041.co .kr - Email: Souchuck@yahoo.com 
repl042.co .kr - Email: Souchuck@yahoo.com 
repl043.co .kr - Email: Souchuck@yahoo.com 
repl044.co .kr - Email: Souchuck@yahoo.com 
repl041.or .kr - Email: Souchuck@yahoo.com 
repl042.or .kr - Email: Souchuck@yahoo.com 
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repl043.or .kr - Email: Souchuck@yahoo.com 
repl044.or .kr - Email: Souchuck@yahoo.com 

- Sample detection rate: 

update.exe - [l]PWS:Win32/Zbot.RS - Result: 8/41 (19.52 
%); MD5: 44028f0e2fa3ec70507992cb0684ff58 


- Name servers of notice: 

nsl.socialworc .net - 87.117.245.9 - Email: 
storylink@live.com 

nsl.trihtmens .net - 87.117.245.9 

nsl.inserthelping .net - suspended 

nsl.citysatellites .net - down 

- Sample message: " Dear taxpayer, The Federal income 
tax is a progressive tax, meaning that the more you earn, 
the higher your tax rate. Your tax rate depends not just 
upon your taxable income, but also upon your filing status 
(single, married filing jointly, etc.). You're in a higher tax 
bracket because: - your annual income for the last tax year 
has increased. Please review your annual tax report 
immediately at: get report." 

- Sample iFrame used: 109.95.115.36 /uzs/in.php also 
used in last [2]week's PhotoArchive campaign; - AS50215 - 

Troyak-as Starchenko Roman Fedorovich - 
akanyovskiy@troyak.org; akanyovskiy@vishclub.net and 
serving CVE-2007- 

5659; CVE-2008-2992; CVE-2009-0927; CVE-2009-4324. 
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- Sample malware detection rate/phone back C &Cs: 

update.exe - [3]Trojan-Spy.Win32.Zbot.gen - Result: 8/41 


(19.52 %), MD5: fl5d88ac3e381aeb6b3779b0dd7042ce. 


Upon execution phones back to [4]trollar .ru/cnf/trl.jpg - 
109.95.114.133 - Email: bernardo _pr@inbox.ru; 

[5]AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. 
Email was also used to register the Zeus C &C from last 
week's "[6] PhotoArchive Crimeware/Client-Side Exploits 
Serving Campaign in the Wild" campaign. 

- Name servers of notice: nsl.gompley .net - 
74.117.63.218 - Email: storylink@live.com; nsl.hoocky .net 


74.117.63.218 - Email: footboolfan7@aol.com, also known 
to have been parked on the same IP are nsl.allhostinfo 

.com - Email: line@metalfan.com; nsl.helpgoldbank .net - 
Email: glonders@gmail.com and nsl.drowthdb .com. 

- Second portfolio of related name servers: the 

second portfolio is parked at 62.19.3.2 - nsl.faktorypro .com 


Email: poolbill@hotmail.com; nsl.x-videocovers .net - Email: 
storylink@live.com; nsl.serwisezone .net - Email: 

line@metalfan.com; nsl.guarantexpres .com; 
nsl.respectiveowners .net 
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Updates will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[7]PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 



[8] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[11] Pushdo Injecting Bogus Swine Flu Vaccine 

[12] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[13] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[14] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1 . 

http://www.virustotal.com/analisis/aa9f7b84bf5bl937a529b 

Qb9cQd3488971cdf23d318053cfe818333ae7639737- 

12659 

3Q51Q 

2. http://ddanchev.blo as pot.com/201Q/02/photoarchive- 
crimewareclient-side.html 

3. 

http://www.virustotal.com/analisis/08c6a859e00d5011bf3c 

67a03466c5567db7678f0bba0fl74619ac5298bf2ec9- 

12659 
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4. https://zeustracker.abuse.ch/monitor. ph p7host-trollar.ru 

5. https://zeustracker.abuse.ch/monitor. ph p?as=5Q369 

6. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 

7. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


8. http://ddanchev.blo as pot.com/201Q/01/facebookaol- 
u pdate-tool-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

11. http://ddanchev.blo as pot.com/2QQ9/12/pushdo- 
ini ectin a -bo a us-swine-f1u.html 

12. http://ddanchev.blo as pot.com/2009/ll/vour-maiibox- 
has-been-deactivated-spam.html 

13. http://ddanchev.blo as pot.com/20Q9/10/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

14. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a- 
fast-f1ux-botnet-that.html 


15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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'Anonymous' Group's DDoS Operation Titstorm 
(2010-02-12 01:40) 
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'Anonymous' Group's DDoS Operation Titstorm 
(2010-02-12 01:40) 

With last months [l]'Anonymous' Group's DDoS Operation 
Titstorm campaign a clear success based on the real-time 
monitoring of the crowdsourcing-driven attack, it's time to 
take a brief retrospective on the tools and tactics used, and 
relate 

• Go through an analysis of 2009's failed [2]Operation 
Didgeridie DDoS campaign 

Why is Operation Titstorm an important one to profile? Not 
only because it worked compared to [3]Operation 

Didgeridie, but also, due to the fact that crowdsourcing 
driven (malicious culture of participation) DDoS attacks 
have proven themselves throughout the past several years, 
as an alternative to DDoS for hire attacks. 

- DIY ICMP flooders 

- Web based multiple iFrame loaders to consume server CPU 

- Web based email bombing too IS+predefined lists of emails 
belonging to government officials/employees 

Go through related posts on crowdsourcing DDoS 
attacks/malicious culture of participation: 

[4]Coordinated Russia vs Georgia cyber attack in progress 


[5] Iranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites 

[6] People's Information Warfare Concept 

[7] Electronic Jihad v3.0 - What Cyber Jihad Isn't 
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[8] Electronic Jihad's Targets List 

[9] The DDoS Attack Against CNN.com 

[lOJChinese Hacktivists Waging People's Information 
Warfare Against CNN 

[llJThe Russia vs Georgia Cyber Attack 

[12] Real-Time OSINT vs Historical OSINT in Russia/Georgia 
Cyberattacks 

[13] Pro-Israeli (Pseudo) Cyber Warriors Want your 
Bandwidth 

[14] lranian Opposition DDoS-es pro-Ahmadinejad Sites 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. http://www.smh.com.au/technolo a v/technolo av- 

news/operation-titstorm-hackers-br ina -down- a overnment- 

website 


s-2010Q210-naku.html 

2. http://blo a s.zdnet.com/securit v/7 p=4234 

3. http://blo a s.zdnet.com/securit v/? p=4234 

















4. http://blo a s.zdnet.com/securit v/? p = 1670 

5. http://blo a s.zdnet.com/securit v/? p = 3613 

6. http://ddanchev.blo as pot.com/2Q07/lQ/peoples- 
information-warfare-concept.html 

7. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- i ihad- 
v30-what-cvber- i i had.html 

8. http://ddanchev.blo as pot.com/2QQ7/ll/electronic- ii hads- 
tar a ets-list.html 

9. http://ddanchev.blo as pot.com/2QQ8/Q4/ddos-attack- 
aa ainst-cnncom.html 

10. http://ddanchev.blo as pot.com/2QQ8/Q4/chinese- 
hacktivists-wa aina- peoples.html 

11. http://ddanchev.blo as pot.com/2QQ8/Q8/russia-vs- 
g eorg ia-cvber-attack.html 

12. http://ddanchev.blo as pot.com/2QQ8/lQ/real-time-osint- 
vs-historical-osint-in.html 


13. http://ddanchev.blo as pot.com/2QQ9/Ql/pro-israel i- 
pseudo-cvber-warriors-want.html 

14. http://ddanchev.blo as pot.com/2QQ9/Q6/iranian- 
op position-ddos-es-pro.html 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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Dissecting an Ongoing Money Mule Recruitment 
Campaign (2010-02-12 23:46) 

Money mule recruiters can be sometimes described as mass¬ 
marketing zombies, who have absolutely no idea who 

they're trying to recruit. Cefin Consulting & Finance - 

cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru 
is the very latest example of such a campaign, trying to 
recruit, well, me. 

The initial recruitment email was spammed from 

maximumsxz78@roulottesste-anne.com with IP 
221.154.76.195: 

" Cefin Consulting & Finanace is one of the leading providers 
of consulting services in the world. Our success depends 
both on high quality of services and on professionally 
managed and reliable business processes. This is the reason 
why quality is our main concern. However, the only way to 
reach top-notch quality in our business is permanent 
struggle for quality and engineering of stable procedures. It 
is not possible to reach high quality standards without 
dedicated personnel striving for flawless operation of 
processes and projects in their daily life. 

Currently we have a Financial Manager opening. No 
deadlines for applications are set. The job of Financial 

Manager includes processing of money transfers, sent to his 
personal bank accounts by company clients. Upon receiving 
a transfer the Financial Manager has to redirect it to the 
account specified by our dispatchers. All you need for this 
job are: 3-4 free hours a day, your wish, ability to work in a 
team and responsibility. The initial wages will equal 5 % of 
total monthly turnover. 



Requirements to Candidates: 

- 20 years old and more 
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- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 

- Foreign language (English is preferable). 

- To have an opportunity in any working hours to go to 
closest Western Union location and make money transfer. 

What we offer: 

- Generous wages - (Your earnings will originally make 5 % 
from each payment. Your earnings will originally make 5 % 

from each payment. After 5 remittances if you will 
operatively work and correctly, your earnings raises up to 
10 %. ) 

- Opportunity of increase in your earnings. 

- Free seminars and training courses (After 6 months of 
great work). 

2010 © Cefin Consulting & Finanacelf you are interested in 
this opening, don't hesitate to send your CV at our e-mail: 

cefincfss@yahoo.com AH right reserved. " 


Response received from cefincfss@yahoo.com with IP 
[1]91.207.4.162, asking for the following details, 
althrough the [2]DIY money-mule recruitment 
management interface automates the entire process, 
thereby allowing it to scale: 

" If you have understood the meaning of work and ready to 
begin working with us, please send us your INFO in the 
following format: 
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1) First name; 2) Last name; 3) Country; 4) City; 5) Zip 
code; 6) Home Phone number, Work Phone number, 

Mobile Phone number; 7) Bank account info:; a) Bank name; 
b) Account name; c) Account number; d) Sort code; 8) Scan 
you passport or driver license" 

The CV forwarding email provided is 
mynesco@yahoo.com, although they'll even recruit you 
without sending them the required CV. 

What's special about the bogus company, is not the new 
template layout that they've purchased from a [3]vendor 
offering creative for money-mule recruitment 
campaign, but their attempt to establish themselves as a 
trusted brand by featuring fake certificates issued by easily 
recognizable brands, such as Western Union, Money 
Gram, Investors in People, the World Business 
Community and even an award from the Chamber 
Awards for 2004 in the category - 11 Most Promising New 
Business". 


Moreover, parked on the very same IP where the 
money mule recruitment is, are also domains 
currently serving live exploits, as well as a DIY 
interface for a spamming service known as "OS- 
CORP". 

The certificates in question: 
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Cefin Consulting & Finance describes itself as: 

11 Cefin consulting & Finance was founded at the beginning 
of 1990. The emerged structure united specialists with 
unique background in management consulting, marketing 
research, business evaluation and stock-exchange 
operations.The following two companies constitute Cefin 
consulting & Finance: 

- Omega Financial Dept. - the dedicated company in the 
field of securities operations; 


- Omega Consult - the dedicated consulting company, 
rendering services in strategic planning and corporate 
management. 

Activity of Cefin consulting & Finance is focused on 
generation of balanced solutions for active development of 
the company and minimization of business risks. 
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Cefin consulting & Finance offers successful managerial 
solutions through consulting support to projects in various 
spheres, namely: comprehensive restructuring and 
organizational development, generation of managing 
companies, engineering of tailored management systems 
for corporate clients, implementation of project 
management methods, business development financial and 
economic simulation. 

Top-notch dedicated professionals with key competence in 
various consulting fields constitute our rigorous staff. 

We boast to have management consulting and business 
strategy development experts, certified securities dealers, 
assessment and registration, marketing and financial 
specialists, corporate law and anti-monopoly legislation 
gurus. 

Address: Cefin consulting & Finance is located at 510 East 
80th Street, New York, New York 10021, United States 786- 
475-3994; 786-475-3994 (FAX)" 
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The money mule recruitment domain cefincf .com - 
195.190.13.106 - Email: flier@infotorrent.ru remains active. 

Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 

384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: 

Michell.Gregory2009@yahoo.com - Email profiled in 
December 2009's "[4] Celebrity- 

Themed Scareware Campaign Abusing DocStoe" - 

money mule recruitment connection 

mynes-consultings .cn - Email: grishanizov@gmail.com 
mynes-consult .cn - Email: grishanizov@gmail.com 
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Sample live exploit structure, currently active at these 
domains: 

- mynes-consult .cn -> if exploitation is not possible, the 
user is redirected to the legitimate newegg.com 

- mynes-consult .cn/load.php?spl = mdac 

- mynes-consult .cn/load.php?spl = buddy 


- mynes-consult .cn/load.php?spl = myspace 

- mynes-consult .cn/load.php?spl=vml2 

- mynes-consult .cn/load.php?spl=ymj 

- mynes-consult .cn/load.php?spl=zangol 

- mynes-consult .cn/load.php?spl=zango2 

All of these exploits drop load.exe - 

[5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), which upon execution phones back to 

69.162.86.210. 

With cybercriminals actively multi-tasking these days, this 
money mule recruitment gang doesn't make an ex¬ 
ception. On one of the domains listed above, a low-profile 
DIY spamming service known as OS-CORP is offering its 
services. 
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The DIY spam service, also has Terms of Service and offers 
basic spamming recommendations. The following is a 

roughly translated version of them: 

11 - No child Porno spamming! 

- Do not offer me affiliate program ( % of sales), I do not 
care! 

- ICQ almost always online, but this does not mean that I 
always present! If you have not received an answer 


immediately have patience, I will answer as soon as 
appearing! 

- Mailing lists on bases of certain subjects are more 
expensive! 

-1 am not responsible for your campaigns and sites sites 
that are sometimes nailed in the process of spam! Use anti¬ 
abuse hosting! 

- I'm not offering anti-abuse hosting services! 

-1 don't offer recommendations for such services. I give 
only the services that spam! 

- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for 
delivery! 

- Do not always send the same text messages, ideally, to 
change the text after each mailing, the effect of there! 

- Do not use themes in writing (headers) words such as 
EARN, OFFER, do not put a lot of exclamation marks and 
other (better do without them), just one! 

- For a good response from countries whose native language 
is not English (eg Sweden, Spain, Denmark, etc.) is highly 
desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be 
mistaken, in countries such not everyone knows English, 
verified repeatedly! 


- Do not write too long texts on a number of reasons this 
does not give a positive effect, but not limited to one 
sentence worth! Ideally, make the text in a few not 
particularly bulky paragraphs !" 

The deeper your analyze, the more malicious, and most 
importantly, inter-connected it gets. 

Related coverage of money laundering in the 
context of cybercrime: 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 
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[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[12] Inside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter 
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Dissecting an Ongoing Money Mule Recruitment 
Campaign (2010-02-12 23:46) 

Money mule recruiters can be sometimes described as mass¬ 
marketing zombies, who have absolutely no idea who 

they're trying to recruit. Cefin Consulting & Finance - 
cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru 
is the very latest example of such a campaign, trying to 
recruit, well, me. 

The initial recruitment email was spammed from 

maximumsxz78@roulottesste-anne.com with IP 
221.154.76.195: 

" Cefin Consulting & Finanace is one of the leading providers 
of consulting services in the world. Our success depends 
both on high quality of services and on professionally 
managed and reliable business processes. This is the reason 
why quality is our main concern. However, the only way to 
reach top-notch quality in our business is permanent 
struggle for quality and engineering of stable procedures. It 
is not possible to reach high quality standards without 
dedicated personnel striving for flawless operation of 
processes and projects in their daily life. 

Currently we have a Financial Manager opening. No 
deadlines for applications are set. The job of Financial 

Manager includes processing of money transfers, sent to his 
personal bank accounts by company clients. Upon receiving 
a transfer the Financial Manager has to redirect it to the 
account specified by our dispatchers. All you need for this 


job are: 3-4 free hours a day, your wish, ability to work in a 
team and responsibility The initial wages will equal 5 % of 
total monthly turnover. 

Requirements to Candidates: 

- 20 years old and more 
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- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 

- Foreign language (English is preferable). 

- To have an opportunity in any working hours to go to 
closest Western Union location and make money transfer. 

What we offer: 

- Generous wages - (Your earnings will originally make 5 % 
from each payment. Your earnings will originally make 5 % 

from each payment. After 5 remittances if you will 
operatively work and correctly, your earnings raises up to 
10 %. ) 

- Opportunity of increase in your earnings. 

- Free seminars and training courses (After 6 months of 
great work). 


2010 © Cefin Consulting & Finanacelf you are interested in 
this opening, don't hesitate to send your CV at our e-mail: 
cefincfss@yahoo.com All right reserved. " 

Response received from cefincfss@yahoo.com with IP 
[1]91.207.4.162, asking for the following details, 
althrough the [2]DIY money-mule recruitment 
management interface automates the entire process, 
thereby allowing it to scale: 

" If you have understood the meaning of work and ready to 
begin working with us, please send us your INFO in the 
following format: 
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1) First name; 2) Last name; 3) Country; 4) City; 5) Zip 
code; 6) Home Phone number, Work Phone number, 

Mobile Phone number; 7) Bank account info:; a) Bank name; 
b) Account name; c) Account number; d) Sort code; 8) Scan 
you passport or driver license" 

The CV forwarding email provided is 
mynesco@yahoo.com, although they'll even recruit you 
without sending them the required CV. 

What's special about the bogus company, is not the new 
template layout that they've purchased from a [3]vendor 
offering creative for money-mule recruitment 
campaign, but their attempt to establish themselves as a 
trusted brand by featuring fake certificates issued by easily 
recognizable brands, such as Western Union, Money 
Gram, Investors in People, the World Business 
Community and even an award from the Chamber 


Awards for 2004 in the category - 11 Most Promising New 
Business 11 . 

Moreover, parked on the very same IP where the 
money mule recruitment is, are also domains 
currently serving live exploits, as well as a DIY 
interface for a spamming service known as "OS- 
CORP". 

The certificates in question: 
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Cefin Consulting & Finance describes itself as: 

" Cefin consulting & Finance was founded at the beginning 
of 1990. The emerged structure united specialists with 
unique background in management consulting, marketing 
research, business evaluation and stock-exchange 
operations.The following two companies constitute Cefin 
consulting & Finance: 


- Omega Financial Dept. - the dedicated company in the 
field of securities operations; 

- Omega Consult - the dedicated consulting company, 
rendering services in strategic planning and corporate 
management. 

Activity of Cefin consulting & Finance is focused on 
generation of balanced solutions for active development of 
the company and minimization of business risks. 
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Cefin consulting & Finance offers successful managerial 
solutions through consulting support to projects in various 
spheres, namely: comprehensive restructuring and 
organizational development, generation of managing 
companies, engineering of tailored management systems 
for corporate clients, implementation of project 
management methods, business development financial and 
economic simulation. 

Top-notch dedicated professionals with key competence in 
various consulting fields constitute our rigorous staff. 

We boast to have management consulting and business 
strategy development experts, certified securities dealers, 
assessment and registration, marketing and financial 
specialists, corporate law and anti-monopoly legislation 
gurus. 

Address: Cefin consulting & Finance is located at 510 East 
80th Street, New York, New York 10021, United States 786- 
475-3994; 786-475-3994 (FAX)' 1 
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The money mule recruitment domain cefincf .com - 
195.190.13.106 - Email: flier@infotorrent.ru remains active. 

Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 

384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: 

Michell.Gregory2009@yahoo.com - Email profiled in 
December 2009's "[4] Celebrity- 

Themed Scareware Campaign Abusing DocStoe" - 

money mule recruitment connection 

mynes-consultings .cn - Email: grishanizov@gmail.com 
mynes-consult .cn - Email: grishanizov@gmail.com 
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Sample live exploit structure, currently active at these 
domains: 

- mynes-consult .cn -> if exploitation is not possible, the 
user is redirected to the legitimate newegg.com 


- mynes-consult .cn/load.php?spl = mdac 

- mynes-consult .cn/load.php?spl = buddy 

- mynes-consult .cn/load.php?spl = myspace 

- mynes-consult .cn/load.php?spl=vml2 

- mynes-consult .cn/load.php?spl=ymj 

- mynes-consult .cn/load.php?spl=zangol 

- mynes-consult .cn/load.php?spl=zango2 

All of these exploits drop load.exe - 

[5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), which upon execution phones back to 

69.162.86.210. 

With cybercriminals actively multi-tasking these days, this 
money mule recruitment gang doesn't make an ex¬ 
ception. On one of the domains listed above, a low-profile 
DIY spamming service known as OS-CORP is offering its 
services. 
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The DIY spam service, also has Terms of Service and offers 
basic spamming recommendations. The following is a 

roughly translated version of them: 

" - No child Porno spamming! 


- Do not offer me affiliate program ( % of sales), I do not 
care! 

- ICQ almost always online, but this does not mean that I 
always present! If you have not received an answer 
immediately have patience, I will answer as soon as 
appearing! 

- Mailing lists on bases of certain subjects are more 
expensive! 

-1 am not responsible for your campaigns and sites sites 
that are sometimes nailed in the process of spam! Use anti¬ 
abuse hosting! 

- I'm not offering anti-abuse hosting services! 

-1 don't offer recommendations for such services. I give 
only the services that spam! 

- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for 
delivery! 

- Do not always send the same text messages, ideally, to 
change the text after each mailing, the effect of there! 

- Do not use themes in writing (headers) words such as 
EARN, OFFER, do not put a lot of exclamation marks and 
other (better do without them), just one! 

- For a good response from countries whose native language 
is not English (eg Sweden, Spain, Denmark, etc.) is highly 


desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be 
mistaken, in countries such not everyone knows English, 
verified repeatedly! 

- Do not write too long texts on a number of reasons this 
does not give a positive effect, but not limited to one 
sentence worth! Ideally, make the text in a few not 
particularly bulky paragraphs !" 

The deeper your analyze, the more malicious, and most 
importantly, inter-connected it gets. 

Related coverage of money laundering in the 
context of cybercrime: 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 
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[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[12] lnside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14Jon Twitter. 
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IRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild (2010-02-15 23:34) 

UPDATED: Monday, February 22, 2010 - Another 
typosquatted domains portfolio is being spamvertised, 
including two new name servers, parked on the same IP 
where name servers from previous campaigns were hosted. 
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Typosquatted domains, and name servers of notice are as 
follows: 

dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 
dese.ne.kr - Email: asondrapgt@hotmail.com 
dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 












desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.or.kr - Email: asondrapgt@hotmail.com 

edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.or.kr 

edase.co.kr 

edase.kr 

edase.ne.kr 

edase.or.kr 

edasn.kr 

edasn.ne.kr 


edasn.or.kr 



edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 

Name servers of notice: 

nsl.silverbrend.net - 87.117.245.9 - Email: 
klincz@aol.com 

nsl.hourscanine.com - 87.117.245.9 - Email: 
carruawau@gmail.com 

UPDATED: Sunday, February 21, 2010 - The gang is 
currently spamming a phishing campaign - no client-side 
serving iFrames found so far - attempting to steal Google 
account and Blogspot accounting data. Given the fact that 
the gang is capable of generating hundreds of thousands of 
bogus accounts on their own, as well as buy them in bulk 
orders from vendors that have already built such an 
inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would 
be to attempt to maliciously monetize the traffic of 
legitimate blogs. 
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The newly spamvertised domains, including a new name 
server are as follows: 

esub.co.kr - Email: osamplerl61@hotmail.com 
esub.kr - Email: osamplerl61@hotmail.com 


esub.ne.kr - Email: osamplerl61@hotmail.com 
esug.co.kr - Email: osamplerl61@hotmail.com 
esug.kr - Email: osamplerl61@hotmail.com 
esug.ne.kr - Email: osamplerl61@hotmail.com 
esuk.kr - Email: osamplerl61@hotmail.com 
esuk.ne.kr - Email: osamplerl61@hotmail.com 
esuk.or.kr - Email: osamplerl61@hotmail.com 
esus.co.kr - Email: osamplerl61@hotmail.com 
esus.kr - Email: osamplerl61@hotmail.com 

esus. ne.kr - Email: osamplerl61@hotmail.com 

esut. co.kr - Email: osamplerl61@hotmail.com 

esut.kr - Email: osamplerl61@hotmail.com 

esut.ne.kr - Email: osamplerl61@hotmail.com 

nsl.nitroexcel.com - 89.238.165.195 (the same IP was 
also hosting the name server domains from previous 
campaigns) - Email: rackmodule@writemail.com 

UPDATED: Saturday, February 20, 2010 - The client- 
side exploit serving iFrame directory has been changed to 
91.201.196.101 /usaspll/in.php, with another 
typosquatted portfolio of domains currently being 
spamvertised. 
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Detection rates: update.exe - [l]Trojan.Zbot - Result: 

25/40 (62.5 %) (phones back to trollar.ru /cnf/trl.jpg - 

109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - 

[2] Trojan.Spy.ZBot.l2544.1 - Result: 26/41 (63.42 %); ie.js - 

[3] JS:CVE-2008-0015-G - Result: 14/40 (35 %); ie2.js - 

[4] Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5 %); 
nowTrue.swf - [5]Trojan.SWF.Dropper.E - Result: 24/41 
(58.54 %); pdf.pdf - [6]Exploit.JS.Pdfka.bln - Result: 11/41 

(26.83 %); swf.swf - [7]SWF/Exploit.Agent.BS - Result: 8/40 
(20 %). 

Domain portfolio, name server of notice - 
nsl.vektoroils.net - 74.117.63.218 - Email: 
admin@forsyte.info : desa.co.kr - Email: 
hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa. or.kr - Email: hjfeasey@yahoo.co.uk 

desb. co.kr - Email: hjfeasey@yahoo.co.uk 
desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
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desb.or.kr - Email: hjfeasey@yahoo.co.uk 
deso.kr - Email: hjfeasey@yahoo.co.uk 


deso.or.kr - Email: hjfeasey@yahoo.co.uk 

desv.kr - Email: hjfeasey@yahoo.co.uk 

desz.co.kr - Email: hjfeasey@yahoo.co.uk 

desz.kr - Email: hjfeasey@yahoo.co.uk 

desz.ne.kr - Email: hjfeasey@yahoo.co.uk 

desz.or.kr - Email: hjfeasey@yahoo.co.uk 

UPDATED: Wednesday, February 17, 2010 - The iFrame 
directory has been changed to 91.201.196.101 /us- 

asp/in.php, detection rate for update.exe - [8]Trojan- 
Spy.Win32.Zbot.gen - Result: 17/40 (42.5 %). 
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Currently active and spamvertised domains include: 
saqwk.co.kr - Email: Camerc05@yahoo.com 
saqwk.kr - Email: Camerc05@yahoo.com 
saqwk.ne.kr - Email: Camerc05@yahoo.com 
saqwk.or.kr - Email: Camerc05@yahoo.com 
saqwm.co.kr - Email: Camerc05@yahoo.com 
saqwm.kr - Email: Camerc05@yahoo.com 
saqwm.ne.kr - Email: Camerc05@yahoo.com 
saqwq.co.kr - Email: Camerc05@yahoo.com 
saqwq.kr - Email: Camerc05@yahoo.com 



saqwq.ne.kr - Email: Camerc05@yahoo.com 

saqwq.or.kr - Email: Camerc05@yahoo.com 

saqwz.co.kr - Email: Camerc05@yahoo.com 

saqwz.kr - Email: Camerc05@yahoo.com 

saqwz.ne.kr - Email: Camerc05@yahoo.com 

saqwz.or.kr - Email: Camerc05@yahoo.com 

As anticipated, the botnet masters behind the 
systematically rotated campaigns dissected in previous 
posts, 

kick off the week with multiple campaigns parked on the 
newly introduced fast-fluxed domains. 
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In a typical multitasking fashion, two campaigns are 
currently active on different sub domains introduced at the 
typosquatted fast-flux ones, impersonating the U.S IRS with 
" Unreported/Underreported Income (Fraud Application) 
theme ", as well as a variation of the [9]already profiled 
PhotoArchive campaign, using a well known "[10] You don't 
have the latest version of Macromedia Flash Playef' error 
message. 
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Let's dissect both campaigns, sharing the same fast-flux 
infrastructure, and currently spammed in the wild. 


Sample campaign URLs from the PhotoArchive, 
SecretArchives themed campaign: 

- archive .repok.or.kr/archive0714/? 
id=test@test.com 

- secretarchives .renyn.kr/archive0714/? 
id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/? 
id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/? 
id=test@test.com 

- postcards .repolix.co.uk/archive0714/? 
id=test@test.com 

Sample sub domain structure: 

anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 
archives .repolil.me.uk 
filearchive .repolil.me.uk 
files .repolit.me.uk 
files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 



secretarchives .repoliw.me.uk 
secretarchives .repolix.me.uk 
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secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 
archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 
files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 
www.irs.gov.repolix.co.uk 

Embedded iFrame - 91.201.196.101 /ukasp/in.php 

(AS42229 (MARIAM-AS PP Mariam) attempts to exploit 

[ll]CVE-2007-5659; [12]CVE-2008-2992; [13JCVE-2008- 
0015; [ 14]CVE-2009-0927 and [15]CVE-2009-4324. Upon 

successful exploitation, file.exe - [16]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just 



like the original update.exe - [17]Trojan.Zbot - Result: 
13/40 (32.50 %) available as a manual download from the 
pages, both 

[18] samples phone back to the well known elnasa.ru 
/asd/elnasa.ble - 109.95.114.71 - Email: 
kievsk@yandex.ru - 

[19] Aleksey V Kijanskiy. 

Naturally, [20]AS42229 (MARIAM-AS PP Mariam) is a 
cybercrime-friendly AS, with the following currently ac¬ 
tive Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 
91.201.196.38 
91.201.196.34 
91.201.196.37 

Sample URL from the IRS-themed campaign: 

- irs.gov 

.renyn.kr/fraud.applications/application/statement.p 

hp 

Sample iFrame from the IRS-themed campaign - 

109.95.114.251 /usa50/in.php is currently down. The 
same 



IP was used to serve client-side exploits in a previous 
campaign - "[21] Pushdo Serving Crimeware, Client-Side 
Exploits and Russian Bride Scams". 

Detection rate fortax-statement.exe - [22]Trojan- 
Spy.Win32.Zbot.gen - Result: 37/41 (90.25 %), [23]which 
upon execution phones [24]back to the well known 
nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: 
kievsk@yandex.ru 

- Aleksey V Kijanskiy 
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Active and spamvertised fast-fluxed domains part of the 
campaign: 

renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.or.kr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyn.or.kr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 


renyo.or.kr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyx.or.kr - Email: Sethdc77@yahoo.co.uk 
rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.or.kr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.or.kr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 
rep023.or.kr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 



rep071.ne.kr - Email: KantuM37690@hotmail.com 
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rep071.or.kr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.or.kr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.or.kr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.or.kr - Email: KantuM37690@hotmail.com 
repl051.co.uk 
repl051.me.uk 
repl051.org.uk 
repl051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 
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repak.kr - Email: limhomeslm@yahoo.co.uk 
repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.or.kr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olb55768@yahoo.co.uk 
repaz.kr - Email: Olb55768@yahoo.co.uk 
repaz.or.kr - Email: Olb55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.or.kr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olb55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olb55768@yahoo.co.uk 
repey.or.kr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olb55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 
repia.ne.kr - Email: Olb55768@yahoo.co.uk 
repia.or.kr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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repik.kr - Email: limhomeslm@yahoo.co.uk 

repik.or.kr - Email: limhomeslm@yahoo.co.uk 

repok.co.kr - Email: limhomeslm@yahoo.co.uk 

repok.kr - Email: limhomeslm@yahoo.co.uk 

repok.ne.kr - Email: limhomeslm@yahoo.co.uk 

repok.or.kr - Email: limhomeslm@yahoo.co.uk 

repoy.co.kr - Email: Olb55768@yahoo.co.uk 

repoy.kr - Email: Olb55768@yahoo.co.uk 

repoy.ne.kr - Email: Olb55768@yahoo.co.uk 

repoy.or.kr - Email: Olb55768@yahoo.co.uk 

repolil.co.uk 

repolil.me.uk 

repoli2.co.uk 

repoli2.me.uk 
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repoli3.co.uk 

repolie.co.uk 

repolio.co.uk 

repoliq.co.uk 


repoliq.me.uk 

repolit.me.uk 

repoliw.co.uk 

repoliw.me.uk 

repolix.co.uk 

repolix.me.uk 

Name servers of notice: 

nsl .skcrealestate.net - 89.238.165.195 - Email: 
support@skrealty.net 

nsl .addressway.net - 89.238.165.195 - Email: 
poolbill@hotmail.com 

nsl .skcpanel.com - 64.20.42.235 - Email: 
support@sk.com 

nsl .holdinglory.com - 64.20.42.235 - Email: 
greysy@gmx.com 

nsl .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: 
storylink@live.com 

Interestingly, researchers from [25]M86 Security gained 
access to the web malware exploitation kit used in a 

previous campaign: 

" It has been up and running and serving exploits for nearly 
a day. In this time almost 40,000 unique users 



have been exposed to these exploits, and the Zeus 
file has been downloaded over 5000 times. These 
downloads do not include the PhotoArchive.exe file 
downloads that a user may be tricked into downloading and 
executing themselves. " 

Updated will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[26] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[27] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[28] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[29] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[30] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[31] Pushdo Injecting Bogus Swine Flu Vaccine 

[32] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[33] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[34] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [35]Dancho Danchev's 
blog. Follow him [36]on Twitter. 
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IRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild (2010-02-15 23:34) 

SECOND UPDATE for Wednesday, February 24 f 2010 - 

Another portfolio of new domains is being spamvertised, 
using the old PhotoArchive theme. The client-side exploits 
serving iFrame directory has been changed to 

91.201.196.101 

/usasp33/in.php currently serving CVE-2007-5659; CVE- 

2008- 2992; CVE-2008-0015; CVE-2009-0927 and CVE- 

2009- 4324. 

Sample detection rates: update.exe - [l]Trojan- 
Spy.Win32.Zbot.gen - Result: 10/42 (23.81 %); file.exe - 
[2]TrojanSpy.Win32.Zbot.gen - Result: 10/42 (23.81 %). 
Samples phone back to the same C &C where samples from 
previous campaigns were also phoning back to - trollar.ru 
/cnf/trl.jpg - 109.95.114.133 - Email: bernardo 
_pr@inbox.ru. 

Domains portfolio: 

reda. kr - Email: ClarenceN62412@hotmail.com 

redb. kr - Email: ClarenceN62412@hotmail.com 

reda. ne.kr - Email: ClarenceN62412@hotmail.com 

redb. ne.kr - Email: ClarenceN62412@hotmail.com 
redn.ne.kr - Email: ClarenceN62412@hotmail.com 



redv.ne.kr - Email: ClarenceN62412@hotmail.com 
redn.kr - Email: ClarenceN62412@hotmail.com 
reda.co.kr - Email: ClarenceN62412@hotmail.com 
redv.co.kr - Email: ClarenceN62412@hotmail.com 

reda. or.kr - Email: ClarenceN62412@hotmail.com 

redb. or.kr - Email: ClarenceN62412@hotmail.com 
redn.or.kr - Email: ClarenceN62412@hotmail.com 
redv.or.kr - Email: ClarenceN62412@hotmail.com 
redv.kr - Email: ClarenceN62412@hotmail.com 
Name server of notice: 

nsl.skcstafFing.com - 87.117.245.9 - Email: 
hr@department.com 

UPDATED: Wednesday, February 24, 2010 - Another 
portfolio of typosquatted domains has been spamver- 

tised. The already suspended domains are listed for 
historical OSINT analysis of this gang's activities. 

Interestingly, their campaigns are lacking the quality 
assurance I'm used to see. For instance, the iFrame IP 

(109.95.114.251 /usa50/in.php) is currently down, with 
the malware itself, including the one that would have been 
dropped given the exploitation took place - have over 90 % 
detectio rate, since the binaries were first analyzed a 1073 


month ago - tax-statement.exe - [3]Trojan- 
Spy.Win32.Zbot - 40/42 (95.24 %); abs.exe - 
[4]Packed:W32/Mufanom.A 

- Result: 38/42 (90.48 %). The directory structure also 
remains the same - irs.gov.yrxc.kr/fraud.applications 

/application/statement.php 

Domains portfolio, including name servers of notice are as 
follows: 

erdca.co.kr - Email: WeedDamel6427@hotmail.com 
erdca.kr - Email: WeedDamel6427@hotmail.com 
erdca.ne.kr - Email: WeedDamel6427@hotmail.com 
erdca.or.kr - Email: WeedDamel6427@hotmail.com 
erdcb.kr - Email: WeedDamel6427@hotmail.com 
erdcd.kr - Email: WeedDamel6427@hotmail.com 
erdce.co.kr - Email: WeedDamel6427@hotmail.com 
erdce.kr - Email: WeedDamel6427@hotmail.com 
erdce.ne.kr - Email: WeedDamel6427@hotmail.com 
erdce.or.kr - Email: WeedDamel6427@hotmail.com 
erdcq.kr - Email: WeedDamel6427@hotmail.com 
erdcu.co.kr - Email: WeedDamel6427@hotmail.com 
erdcu.kr - Email: WeedDamel6427@hotmail.com 



erdcu.ne.kr - Email: WeedDamel6427@hotmail.com 
erdcu.or.kr - Email: WeedDamel6427@hotmail.com 
1074 

yrxc.co.kr - Email: WeedDamel6427@hotmail.com 
yrxc.kr - Email: WeedDamel6427@hotmail.com 
yrxc.or.kr - Email: WeedDamel6427@hotmail.com 
yrxo.co.kr - Email: WeedDamel6427@hotmail.com 
yrxo.kr - Email: WeedDamel6427@hotmail.com 
yrxo.ne.kr - Email: WeedDamel6427@hotmail.com 
yrxo.or.kr - Email: WeedDamel6427@hotmail.com 
yrxs.co.kr - Email: WeedDamel6427@hotmail.com 
yrxs.kr - Email: WeedDamel6427@hotmail.com 
yrxs.ne.kr - Email: WeedDamel6427@hotmail.com 
yrxs.or.kr - Email: WeedDamel6427@hotmail.com 
rtsle3en.me.uk 
rtsle3eq.me.uk 
rtsle3ew.me.uk 
rtsle3ex.me.uk 
rtsle3ey.me.uk 


rtsle3ez.me.uk 



rtsle3eb.co.uk 


rtsle3en.co.uk 

rtsle3eq.co.uk 

rtsle3er.co.uk 

rtsle3ew.co.uk 

rtsle3ex.co.uk 

rtsle3ey.co.uk 

rtsle3ez.co.uk 

Name servers of notice: 

nsl.skc-realty.com - 89.238.165.195 - Email: 
skc@realty.net 

nsl.chinafromasia.com 

UPDATED: Monday, February 22, 2010 - Another 
typosquatted domains portfolio is being spamvertised, in¬ 
cluding two new name servers, parked on the same IP where 
name servers from previous campaigns were hosted. 
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Typosquatted domains, and name servers of notice are as 
follows: 

dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 


dese.ne.kr - Email: asondrapgt@hotmail.com 
dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 
desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.or.kr - Email: asondrapgt@hotmail.com 

edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.or.kr 

edase.co.kr 


edase.kr 



edase.ne.kr 


edase.or.kr 

edasn.kr 

edasn.ne.kr 

edasn.or.kr 

edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 

Name servers of notice: 

nsl.silverbrend.net - 87.117.245.9 - Email: 
klincz@aol.com 

nsl.hourscanine.com - 87.117.245.9 - Email: 
carruawau@gmail.com 

UPDATED: Sunday, February 21, 2010 - The gang is 
currently spamming a phishing campaign - no client-side 
serving iFrames found so far - attempting to steal Google 
account and Blogspot accounting data. Given the fact that 
the gang is capable of generating hundreds of thousands of 
bogus accounts on their own, as well as buy them in bulk 
orders from vendors that have already built such an 
inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would 
be to attempt to maliciously monetize the traffic of 
legitimate blogs. 
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The newly spamvertised domains, including a new name 
server are as follows: 

esub.co.kr - Email: osamplerl61@hotmail.com 
esub.kr - Email: osamplerl61@hotmail.com 
esub.ne.kr - Email: osamplerl61@hotmail.com 
esug.co.kr - Email: osamplerl61@hotmail.com 
esug.kr - Email: osamplerl61@hotmail.com 
esug.ne.kr - Email: osamplerl61@hotmail.com 
esuk.kr - Email: osamplerl61@hotmail.com 
esuk.ne.kr - Email: osamplerl61@hotmail.com 
esuk.or.kr - Email: osamplerl61@hotmail.com 
esus.co.kr - Email: osamplerl61@hotmail.com 
esus.kr - Email: osamplerl61@hotmail.com 

esus. ne.kr - Email: osamplerl61@hotmail.com 

esut. co.kr - Email: osamplerl61@hotmail.com 

esut.kr - Email: osamplerl61@hotmail.com 

esut.ne.kr - Email: osamplerl61@hotmail.com 

nsl.nitroexcel.com - 89.238.165.195 (the same IP was 
also hosting the name server domains from previous 


campaigns) - Email: rackmodule@writemail.com 

UPDATED: Saturday, February 20, 2010 - The client- 
side exploit serving iFrame directory has been changed to 
91.201.196.101 /usaspll/in.php, with another 
typosquatted portfolio of domains currently being 
spamvertised. 
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Detection rates: update.exe - [5]Trojan.Zbot - Result: 

25/40 (62.5 %) (phones back to trollar.ru /cnf/trl.jpg - 

109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - 

[6] Trojan.Spy.ZBot. 12544.1 - Result: 26/41 (63.42 %); ie.js - 

[7] JS:CVE-2008-0015-G - Result: 14/40 (35 %); ie2.js - 

[8] Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5 %); 
nowTrue.swf - [9]Trojan.SWF.Dropper.E - Result: 24/41 
(58.54 %); pdf.pdf - [10]Exploit.JS.Pdfka.bln - Result: 11/41 

(26.83 %); swf.swf - [ll]SWF/Exploit.Agent.BS - Result: 
8/40 (20 %). 

Domain portfolio, name server of notice - 
nsl.vektoroils.net - 74.117.63.218 - Email: 
admin@forsyte.info : desa.co.kr - Email: 
hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa. or.kr - Email: hjfeasey@yahoo.co.uk 

desb. co.kr - Email: hjfeasey@yahoo.co.uk 


desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
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desb.or.kr - Email: hjfeasey@yahoo.co.uk 

deso.kr - Email: hjfeasey@yahoo.co.uk 

deso.or.kr - Email: hjfeasey@yahoo.co.uk 

desv.kr - Email: hjfeasey@yahoo.co.uk 

desz.co.kr - Email: hjfeasey@yahoo.co.uk 

desz.kr - Email: hjfeasey@yahoo.co.uk 

desz.ne.kr - Email: hjfeasey@yahoo.co.uk 

desz.or.kr - Email: hjfeasey@yahoo.co.uk 

UPDATED: Wednesday, February 17, 2010 - The iFrame 
directory has been changed to 91.201.196.101 /us- 

asp/in.php, detection rate for update.exe - [12]Trojan- 
Spy.Win32.Zbot.gen - Result: 17/40 (42.5 %). 

1080 

Currently active and spamvertised domains include: 
saqwk.co.kr - Email: Camerc05@yahoo.com 
saqwk.kr - Email: Camerc05@yahoo.com 
saqwk.ne.kr - Email: Camerc05@yahoo.com 


saqwk.or.kr - Email: Camerc05@yahoo.com 

saqwm.co.kr - Email: Camerc05@yahoo.com 

saqwm.kr - Email: Camerc05@yahoo.com 

saqwm.ne.kr - Email: Camerc05@yahoo.com 

saqwq.co.kr - Email: Camerc05@yahoo.com 

saqwq.kr - Email: Camerc05@yahoo.com 

saqwq.ne.kr - Email: Camerc05@yahoo.com 

saqwq.or.kr - Email: Camerc05@yahoo.com 

saqwz.co.kr - Email: Camerc05@yahoo.com 

saqwz.kr - Email: Camerc05@yahoo.com 

saqwz.ne.kr - Email: Camerc05@yahoo.com 

saqwz.or.kr - Email: Camerc05@yahoo.com 

As anticipated, the botnet masters behind the 
systematically rotated campaigns dissected in previous 
posts, 

kick off the week with multiple campaigns parked on the 
newly introduced fast-fluxed domains. 
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In a typical multitasking fashion, two campaigns are 
currently active on different sub domains introduced at the 
typosquatted fast-flux ones, impersonating the U.S IRS with 
" Unreported/Underreported Income (Fraud Application) 


theme", as well as a variation of the [13]already profiled 
PhotoArchive campaign, using a well known "[14] You don't 
have the latest version of Macromedia Flash PlayeY error 
message. 
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Let's dissect both campaigns, sharing the same fast-flux 
infrastructure, and currently spammed in the wild. 

Sample campaign URLs from the PhotoArchive, 
SecretArchives themed campaign: 

- archive .repok.or.kr/archive0714/? 
id=test@test.com 

- secretarchives .renyn.kr/archive0714/? 
id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/? 
id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/? 
id=test@test.com 

- postcards .repolix.co.uk/archive0714/? 
id=test(g>test.com 

Sample sub domain structure: 

anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 


archives .repolil.me.uk 
filearchive .repolil.me.uk 
files .repolit.me.uk 
files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 
secretarchives .repoliw.me.uk 
secretarchives .repolix.me.uk 
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secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 
archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 
files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 



www.irs.gov.repolix.co.uk 


Embedded iFrame - 91.201.196.101 /ukasp/in.php 

(AS42229 (MARIAM-AS PP Mariam) attempts to exploit 

[15]CVE-2007-5659; [16]CVE-2008-2992; [17JCVE-2008- 
0015; [ 18]CVE-2009-0927 and [19]CVE-2009-4324. Upon 

successful exploitation, file.exe - [20]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just 
like the original update.exe - [21]Trojan.Zbot - Result: 
13/40 (32.50 %) available as a manual download from the 
pages, both 

[22] samples phone back to the well known elnasa.ru 
/asd/elnasa.ble - 109.95.114.71 - Email: 
kievsk@yandex.ru - 

[23] Aleksey V Kijanskiy. 

Naturally, [24JAS42229 (MARIAM-AS PP Mariam) is a 
cybercrime-friendly AS, with the following currently ac¬ 
tive Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 
91.201.196.38 
91.201.196.34 
91.201.196.37 

Sample URL from the IRS-themed campaign: 



- irs.gov 

.renyn.kr/fraud.applications/application/statement.p 

hp 

Sample iFrame from the IRS-themed campaign - 

109.95.114.251 /usa50/in.php is currently down. The 
same 

IP was used to serve client-side exploits in a previous 
campaign - "[25] Pushdo Serving Crimeware, Client-Side 
Exploits and Russian Bride Scams 11 . 

Detection rate fortax-statement.exe - [26]Trojan- 
Spy.Win32.Zbot.gen - Result: 37/41 (90.25 %), [27]which 
upon execution phones [28]back to the well known 
nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: 
kievsk@yandex.ru 

- Aleksey V Kijanskiy 
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Active and spamvertised fast-fluxed domains part of the 
campaign: 

renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.or.kr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 


renyn.or.kr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyo.or.kr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyx.or.kr - Email: Sethdc77@yahoo.co.uk 
rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.or.kr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.or.kr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 



rep023.or.kr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 
rep071.ne.kr - Email: KantuM37690@hotmail.com 
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rep071.or.kr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.or.kr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.or.kr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.or.kr - Email: KantuM37690@hotmail.com 
repl051.co.uk 


repl051.me.uk 

repl051.org.uk 

repl051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 
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repak.kr - Email: limhomeslm@yahoo.co.uk 
repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.or.kr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olb55768@yahoo.co.uk 
repaz.kr - Email: Olb55768@yahoo.co.uk 
repaz.or.kr - Email: Olb55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.or.kr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olb55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olb55768@yahoo.co.uk 
repey.or.kr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olb55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 



repia.ne.kr - Email: Olb55768@yahoo.co.uk 
repia.or.kr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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repik.kr - Email: limhomeslm@yahoo.co.uk 
repik.or.kr - Email: limhomeslm@yahoo.co.uk 
repok.co.kr - Email: limhomeslm@yahoo.co.uk 
repok.kr - Email: limhomeslm@yahoo.co.uk 
repok.ne.kr - Email: limhomeslm@yahoo.co.uk 
repok.or.kr - Email: limhomeslm@yahoo.co.uk 
repoy.co.kr - Email: Olb55768@yahoo.co.uk 
repoy.kr - Email: Olb55768@yahoo.co.uk 
repoy.ne.kr - Email: Olb55768@yahoo.co.uk 
repoy.or.kr - Email: Olb55768@yahoo.co.uk 
repolil.co.uk 
repolil.me.uk 
repoli2.co.uk 
repoli2.me.uk 
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repoli3.co.uk 

repolie.co.uk 

repolio.co.uk 

repoliq.co.uk 

repoliq.me.uk 

repolit.me.uk 

repoliw.co.uk 

repoliw.me.uk 

repolix.co.uk 

repolix.me.uk 

Name servers of notice: 

nsl .skcrealestate.net - 89.238.165.195 - Email: 
support@skrealty.net 

nsl .addressway.net - 89.238.165.195 - Email: 
poolbill@hotmail.com 

nsl .skcpanel.com - 64.20.42.235 - Email: 
support@sk.com 

nsl .holdinglory.com - 64.20.42.235 - Email: 
greysy@gmx.com 

nsl .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: 
storylink@live.com 



Interestingly, researchers from [29]M86 Security gained 
access to the web malware exploitation kit used in a 

previous campaign: 

" It has been up and running and serving exploits for nearly 
a day. In this time almost 40,000 unique users 

have been exposed to these exploits, and the Zeus 
file has been downloaded over 5000 times. These 
downloads do not include the PhotoArchive.exe file 
downloads that a user may be tricked into downloading and 
executing themselves. 11 

Updated will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[30] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[31] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[32] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[33] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[34] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[35] Pushdo Injecting Bogus Swine Flu Vaccine 

[36] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 



[37]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 


[38]The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [39]Dancho Danchev's 
blog. Follow him [40Jon Twitter. 

1 . 
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Don't Play Poker on an Infected Table - Part Two 
(2010-02-25 13:17) 

Over the past week and a half, cybercriminals have been 
aggressively spamvertising a growing portfolio of domains, 
relying on deceptive advertising for nonexistent and 
fraudulent online gambling web sites, serving the well 
known Win32.GAMECasino. 

• Go through related posts: [l]Don't Play Poker on an 
Infected Table; [2]Malware(Client-Side Exploits) Serving 

Online Casinos 

What's particularly interesting about the campaign, is the 
fact that all of the domains serve identical template, with 
the SmartDownload.exe binary hosted "in the cloud" thanks 
to Amazon's Web Services 

(anat.s3.amazonaws.com/dir4/ 

SmartDownload.exe). 

Detecting rate forSmartDownload.exe - 

[3]Win32.GAMECasino - Result: 10/42 (23.81 %). 

Sample phones 

back the following domain - 

download.realtimegaming.com 
/cdn/goldvipclub/package list.ini.zip?fakeParam=l 

- 212.201.100.144 - Email: admin@REALTIMEGAMING.COM; 
RealTime Gaming Holding Company, LLC, registered 

under the following address according to the information 
published on their web site: 
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• For Licensing opportunities or Company 
lnformation,please submit request to Hasting B. V. Click 
Here.Hastings International B.V.New Haven Office 
CenterEmancipatie Boulevard 31 - P.O. Box 6052Curacao 
Netherlands An-tilles 

Here are the spavertised domains in question, including the 
name servers involved. 

Spamvertised domains parked on 116.123.221.17; 
112.159.237.58: 

aerojackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
compujackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotadvance.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotalist.net - Email: dfgdfgvcsxl2@foxmail.com 
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jackpotbee.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotbuzz.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotcanyon.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotclubs.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotfairy.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotfan.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotflag.net - Email: dfgdfgvcsxl2@foxmail.com 


jackpoticity.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotjets.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotlodge.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotlodge.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotmoment.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotpair.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotrocket.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotthink.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpottodoor.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotwire.net - Email: dfgdfgvcsxl2@foxmail.com 
jacpotcongress.net - Email: dfgdfgvcsxl2@foxmail.com 
linejackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
lux777cazino.net - Email: efghfgbvghfgh@qq.com 
majicjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
midjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
mixerjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
needjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
nestjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
shopjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
smart-nest.net - Email: dfgdsfvcb@163.com 




structjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
the-cash.net - Email: dfgdsfvcb@163.com 
thejackpots.net - Email: dfgdfgvcsxl2@foxmail.com 
windowjackpots.net - Email: dfgdfgvcsxl2@foxmail.com 
win-vox.net - Email: dfgdsfvcb@163.com 
aerowin.net - Email: dfgdsfvcb@163.com 
beach-jackpot.net - Email: dfgdsfvcb@163.com 
beautyselite.net - Email: dfgdsfvcb@163.com 
binwin.net - Email: dfgdsfvcb@163.com 
clashflash.net - Email: dfgdsfvcb@163.com 
couldwin.net - Email: dfgdsfvcb@163.com 
dinwin.net - Email: dfgdsfvcb@163.com 
eliteclasss.net - Email: dfgdsfvcb@163.com 
eliteorder.net - Email: dfgdsfvcb@163.com 
eliteplaza.net - Email: dfgdsfvcb@163.com 
elitescoop.net - Email: dfgdsfvcb@163.com 
eliteweird.net - Email: dfgdsfvcb@163.com 
ezelite.net - Email: dfgdsfvcb@163.com 
flashapex.net - Email: dfgdsfvcb@163.com 
flashbrook.net - Email: dfgdsfvcb@163.com 



flashbuzzs.net - Email: dfgdsfvcb@163.com 
flashcensus.net - Email: dfgdsfvcb@163.com 
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flashclashs.net - Email: dfgdsfvcb@163.com 
flashlasch.net - Email: dfgdsfvcb@163.com 
flashlash.net - Email: dfgdsfvcb@163.com 
flashmoment.net - Email: dfgdsfvcb@163.com 
flashnest.net - Email: dfgdsfvcb@163.com 
flashpixie.net - Email: dfgdsfvcb@163.com 
flashslash.net - Email: dfgdsfvcb@163.com 
flashspark.net - Email: dfgdsfvcb@163.com 
flashspell.net - Email: dfgdsfvcb@163.com 
flashzap.net - Email: dfgdsfvcb@163.com 
free-smart.net - Email: dfgdsfvcb@163.com 
ginwin.net - Email: dfgdsfvcb@163.com 
goingtowins.net - Email: dfgdsfvcb@163.com 
hitecwinner.net - Email: dfgdsfvcb@163.com 
innerwinner.net - Email: dfgdsfvcb@163.com 
interelite.net - Email: dfgdsfvcb@163.com 


jackpot-direct.net - Email: dfgdsfvcb@163.com 
jackpot-fire.net - Email: dfgdsfvcb@163.com 
jackpot-help.net - Email: dfgdsfvcb@163.com 
jackpot-infinity.net - Email: dfgdsfvcb@163.com 
jackpot-mind.net - Email: dfgdsfvcb@163.com 
jackpot-minute.net - Email: dfgdsfvcb@163.com 
jackpot-phone.net - Email: dfgdsfvcb@163.com 
jackpot-reunion.net - Email: dfgdsfvcb@163.com 
jackpot-senate.net - Email: dfgdsfvcb@163.com 
jackpot-talk.net - Email: dfgdsfvcb@163.com 
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jackpot-taven.net - Email: dfgdsfvcb@163.com 
jackpot-topia.net - Email: dfgdsfvcb@163.com 
jackpot-wire.net - Email: dfgdsfvcb@163.com 
laschflash.net - Email: dfgdsfvcb@163.com 
learn-jackpot.net - Email: dfgdsfvcb@163.com 
magicwinner.net - Email: dfgdsfvcb@163.com 
mapwinner.net - Email: dfgdsfvcb@163.com 
mediaselite.net - Email: dfgdsfvcb@163.com 



mindelite.net - Email: dfgdsfvcb@163.com 
mrelite.net - Email: dfgdsfvcb@163.com 
needwin.net - Email: dfgdsfvcb@163.com 
pixiewinner.net - Email: dfgdsfvcb@163.com 
powerwinners.net - Email: dfgdsfvcb@163.com 
predict-jackpot.net - Email: dfgdsfvcb@163.com 
pushelite.net - Email: dfgdsfvcb@163.com 
reseachelite.net - Email: dfgdsfvcb@163.com 
sellelite.net - Email: dfgdsfvcb@163.com 
sgameelite.net - Email: dfgdsfvcb@163.com 
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sharpwinner.net - Email: dfgdsfvcb@163.com 
smart-enough.net - Email: dfgdsfvcb@163.com 
smart-fire.net - Email: dfgdsfvcb@163.com 
smart-log.net - Email: dfgdsfvcb@163.com 
smart-nest.net - Email: dfgdsfvcb@163.com 
smart-spree.net - Email: dfgdsfvcb@163.com 
steelites.net - Email: dfgdsfvcb@163.com 
surveylite.net - Email: dfgdsfvcb@163.com 
targetelite.net - Email: dfgdsfvcb@163.com 



theelites.net - Email: dfgdsfvcb@163.com 
theflashers.net - Email: dfgdsfvcb@163.com 
theywin.net - Email: dfgdsfvcb@163.com 
velowinner.net - Email: dfgdsfvcb@163.com 
vote-smart.net - Email: dfgdsfvcb@163.com 
wanttowin.net - Email: dfgdsfvcb@163.com 
winbot.net - Email: dfgdsfvcb@163.com 
winnercrest.net - Email: dfgdsfvcb@163.com 
winnerfast.net - Email: dfgdsfvcb@163.com 
winnerhut.net - Email: dfgdsfvcb@163.com 
winnerincumbent.net - Email: dfgdsfvcb@163.com 
winnermass.net - Email: dfgdsfvcb@163.com 
winnerpub.net - Email: dfgdsfvcb@163.com 
winnerrocket.net - Email: dfgdsfvcb@163.com 
winnersalon.net - Email: dfgdsfvcb@163.com 
winnerscan.net - Email: dfgdsfvcb@163.com 
winnertake.net - Email: dfgdsfvcb@163.com 
winnertal.net - Email: dfgdsfvcb@163.com 
winnertoyou.net - Email: dfgdsfvcb@163.com 
zap-smart.net - Email: dfgdsfvcb@163.com 



Name servers of notice: 


nsl.bb6ns.com - 58.83.8.45 - Email: li-zhenshu@163.com 

nsl.bedws.com - 218.61.126.28 - Email: 
guoxiufenghy@163.com 

nsl.catdogns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.cebht.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.dd5ns.com - 61.191.191.61 - Email: li- 
zhenshu@163.com 

nsl.dogmens.com - 208.78.242.185 - Email: 
hmr@data99.com 

nsl.euromarketorder.com - 218.61.126.28 

nsl.fesws.com - 218.61.126.28 - Email: 
info2@data99.com 

nsl.goatdns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.hh7ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.kindball.com - 218.61.126.28 - Email: 
zhaokaijunlp@163.com 

nsl.mm8ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.nn4ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 



nsl.ss6ns.com - 61.191.191.61 - Email: 
shirley9127@hotmail.com 

nsl.wildnn.com - 208.78.242.185 - Email: 
hmr@data99.com 

ns2.gg9ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns2.sruisorehoes.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns2.zz8ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.bavns.com - 218.61.126.28 - Email: 
shirley9127@hotmail.com 
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ns3.bawns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.becns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.bojns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

The campaign is a great example of cybercrime-friendly 
affiliate networks, with the cybercriminals in this case 
investing a modest amount of money for the actual 
spamming process, and then earning 30 % flat rate, which 
can 


also be scaling between 20 % to 45 % depending on their 
choice. 

The practice has been around for years. Here are three 
monetizations strategies seeing within the last two years, all 
of which remain an active tactic for fraudsters to take 
advantage of: 

• Brandjacking and monetizing through pseudo-value 
added crapware applications- this practice has been 
profiled in a previous analysis M [4]Cybersquatting Security 
Vendors for Fraudulent Purposes". PandaSecurity's reaction 
back then? Immediate notification of their legal department. 

• SMS micro-payment scams through typosquatting 
and brandjacking - this tactic has already been profiled in 

"[5]Legitimate Software Typosquatted in SMS Micro-Payment 
Scam" analysis. Compared to the typosquatting in the 
previous scheme, this campaign was monetizing freely 
available software. 

• Abuse of legitimate affiliate networks - In January, 
2009, I [6]profiled and took down a campaign that has 
typosquatted domains for popular applications and was 
advertising them through Google's AdSense in an attempt 
to earn money from a legitimate affiliate network - 
[7]Conduit's Rewards Program. The abuse of these 

networks can be easily taken care of, since the 
cybercriminal that's violating their Terms of Service is 
exposing himself as a legitimate user, with his very own 
CampaignID. 

You may want to reconsider using an online gambling 
application that's being spammed using a botnet, with the 



actual application crypted using a tool exclusively used by 
malware authors in an attempt to bypass signatures based 
antivirus scanning. 

Amazon's Web Services are aware of this campaign. Action 
against it should be taken shortly. 

This post has been reproduced from [8]Dancho Danchev's 
blog. Follow him [9Jon Twitter. 

1. http://ddanchev.blo as oot.com/2QQ7/09/dont-pla v- Poker- 
on-infected-table.html 

2. http://ddanchev.blo as pot.com/2QQ7/ll/malware-servin a- 
online-casinos.html 

3. 

http://www.virustotal.com/analisis/2488cl252a5b3207d7af 
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12670 
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4. http://ddanchev.blo as pot.com/2QQ8/Q3/cvbersauattin a- 
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9. http://twitter.com/danchodanchev 

1099 

Fotolog's FTLog Malware Campaign Serves Bogus 
Video Codecs (2010-02-26 00:02) 
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Summarizing Zero Day's Posts for February (2010- 
03-02 21:20) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for February, 2010. You [2]can also go 
through [3]previous summaries, as well as subscribe to my 
[4]personal RSS feed, [5]Zero Day's main feed, [6]follow me 
or all of [7]ZDNet's blogs on Twitter. 

Recommended reading - [8]Reports: SQL injection 
attacks and malware led to most data breaches; 
^Re¬ 
port: Malicious PDF files comprised 80 percent of all 
exploits for 2009 and [10]10 things you didn't know 
about the Koobface gang 

01. [ll]Does Blippy really pose a security risk? 

02. [12]Reports: SQL injection attacks and malware led to 
most data breaches 



03. [13]Scammers phishing for sensitive iPhone data 

04. [14]Report: Malicious PDF files comprised 80 percent of 
all exploits for 2009 

05. [15]The Kneber botnet - FAQ 

06. [16]10 things you didn't know about the Koobface gang 

This post has been reproduced from [17]Dancho Danchev's 
blog. Follow him [18]on Twitter. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/201Q/01/summarizin a- 
zero-da vs- posts-for.html 
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zero-da vs- posts-for- i anuarv.html 

4. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=0&s=Q&o=l&mode=rss 

5. http://feeds.feedburner.com/zdnet/securit v 

6. http://twitter.com/danchodanchev 

7. http://twitter.com/zdnetblo as 

8. http://blo a s.zdnet.com/securit v/? p = 5421 

9. httP://blo a s.zdnet.com/securit v/? p = 5473 

10. http://blo a s.zdnet.com/securit v/? p=5452 

11. http://blo a s.zdnet.com/securit v/? p=5401 

































12. httP://blo a s.zdnet.com/securit v/? p=5421 
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15. http://blo a s.zdnet.com/securit v/? p=5508 

16. httP://blp a s.zdnet.com/securit v/? p=5452 

17. http://ddanchev.blo as pot.com/ 

18. http://twitter.com/danchodanchev 
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Don't Play Poker on an Infected Table - Part Three 
(2010-03-09 22:43) 

The monetization of phony online gambling networks - 
clearly tolerating systematic violation of their TOS - is 

continuing with the scammers behind last month's 
campaign ([l]Don't Play Poker on an Infected Table - 
Part Two) spamvertising another portfolio of domains using 
new templates. 

It's worth pointing out that the spammers don't just earn 
revenue every time someone installs the applica¬ 
tion, but also, every time the, now converted visitor, 
interacts financially with the service, a monetization 
approach you'll see in the attached screenshots. 

Detection rates for the spamvertised binaries (downloaded 
from gamez-lux.com and we3tt.com) : 




















[2jStarsVIPCasino_Setup.exe - Result: 14/42 (33.33 %); 
[31GoldenMummyEN.exe - Result: 9/42 (21.43 %); 
[4JRubyRoyaleEN.exe - Result: 11/42 (26.19 %). Sample 
phone back locations: 

download.thepalacegroupgaming.com; 
pcm3.valueactive.eu; rubyfortune.mgsmup.com 
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Spamvertised domains include: 

adrembovesttes.net - Email: pengjiajie222@163.com 
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com 
bonusgameslux.net - Email: fgsdvbbvd@qq.com 
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com 
bonusluxplays.net - Email: fgsdvbbvd@qq.com 
bonusplayslux.net - Email: fgsdvbbvd@qq.com 
casinosbonuslux.net - Email: fgsdvbbvd@qq.com 
casinosluxclub.net - Email: fgsdvbbvd@qq.com 
casinosluxstar.net - Email: fgsdvbbvd@qq.com 
clopelinesutes.net - Email: fgsdvbbvd@qq.com 
clubgameslux.net - Email: fgsdvbbvd@qq.com 
clubluxgames.net - Email: fgsdvbbvd@qq.com 
club-of-lux.net - Email: fgsdvbbvd@qq.com 


clubs-play.net - Email: fgsdvbbvd@qq.com 
clubvegas-games.net - Email: fgsdvbbvd@qq.com 
gameclubviva.net - Email: fgsdvbbvd@qq.com 
game-lux-club.net - Email: fgsdvbbvd@qq.com 
gamesbonuslux.net - Email: fgsdvbbvd@qq.com 
games-gold.net - Email: fgsdvbbvd@qq.com 
gameslux.net - Email: fgsdvbbvd@qq.com 
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gamesstarlux.net - Email: fgsdvbbvd@qq.com 
gamevivagold.net - Email: fgsdvbbvd@qq.com 
gorxshop.net - Email: sdfxckj@msn.com 
hannoweramtes.net - Email: ftyughsere@qq.com 
lutiok.net - Email: ftgy23fge@126.com 
luxbonusgames.net - Email: fgsdvbbvd@qq.com 
luxbonusplays.net - Email: fgsdvbbvd@qq.com 
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com 
luxclubcasinos.net - Email: fgsdvbbvd@qq.com 
luxclubplays.net - Email: fgsdvbbvd@qq.com 
luxgamesbonus.net - Email: fgsdvbbvd@qq.com 


Iuxgamesstar.net - Email: fgsdvbbvd@qq.com 
luxplaysclub.net - Email: fgsdvbbvd@qq.com 
luxplaysstar.net - Email: fgsdvbbvd@qq.com 
luxs-games.net - Email: fgsdvbbvd@qq.com 
luxstarplays.net - Email: fgsdvbbvd@qq.com 
mollehoukutes.net - Email: guoaiwense@163.com 
murgadobarotes.net - Email: guoaiwense@163.com 
namedosaras.net - Email: ftyughsere@qq.com 
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pay3500win.net - Email: dfgdvbcv@sina.com 
playeuro777.net - Email: fghvvbcfgds@tom.com 
playeuro888.net - Email: fghvvbcfgds@tom.com 
playglobal777.net - Email: dfhhjg4ee@163.com 
playsclublux.net - Email: fgsdvbbvd@qq.com 
playsluxclub.net - Email: fgsdvbbvd@qq.com 
realcash-mine.net - Email: dfgdvbcv@sina.com 
realcash-offer.net - Email: dfgdvbcv@sina.com 
realcash-wins.net - Email: dfgdvbcv@sina.com 
regal-jackpot.net - Email: dfgdvbcv@sina.com 


regalvegas-online.net - Email: dfgdvbcv@sina.com 

royalcasino777.net - Email: edwfrsdf@126.com 

royalcasino888.net - Email: edwfrsdf@126.com 

royalvegas-play.net - Email: dfgdvbcv@sina.com 

satregonovates.net - Email: pengjiajie222@163.com 

softaserutes.net - Email: ftyughsere@qq.com 

softoutnertes.net - Email: ftyughsere@qq.com 

softuoplowtes.net - Email: ftyughsere@qq.com 

stargameslux.net - Email: ftyughsere@qq.com 

starluxcasinos.net - Email: ftyughsere@qq.com 

sundowutortes.net - Email: guoaiwense@163.com 

vegasclubsgame.net - Email: fgsdvbbvd@qq.com 

vegasgamesclub.net - Email: fgsdvbbvd@qq.com 

Sample monetization in action: 
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Phony affiliate networks are reserve the right to forward the 
responsibility for the malicious activity to participants 
violating their Terms or Service. A violation that earned both 
parties significant amounts of money, in between The "don't 
play poker on an infected table" series are prone to expand. 


Related posts: 

[5] Don't Play Poker on an Infected Table - Part Two 

[6] Don't Play Poker on an Infected Table 

[7] Malware Serving Online Casinos 

This post has been reproduced from [8]Dancho Danchev's 
blog. Follow him [9Jon Twitter. 

1. http://ddanchev.blo as pot.com/2010/02/dont-pla v- poker- 
on-infected-table-part.html 
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12681 

61342 
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12681 
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bf94da7eca948422af758ab6690fe30ed7f27e71200e- 


12681 
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on-infected-table.html 

7. http://ddanchev.blo as pot.com/2QQ7/ll/malware-servin a- 
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AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop 
from 249 to 181 (2010-03-10 21:01) 

2nd update for Friday, March, 12, 2010 - [l]Troyak-AS 
is down again - 11 This AS is not currently used to announce 
prefixes in the global routing table, nor is it used as a visible 
transit AS. " 

UPDATED: Friday, March, 12, 2010 - Troyak-AS peering 
courtesy of [2]AS25189 - NLINE-AS JSC Nline. Since 

the entire Troyak-as takedown campaign is turning into an 
infinite loop, it's time for a "terminating condition". 

2nd update for Thursday, March 11, 2010: Troyak-AS is 
back from the dead. Upstream courtesy of [3JAS8342 

- RTCOMM-AS RTComm.RU Autonomous System. The good 
news? Troyak's Zeus C &Cs are still offline. 


















UPDATED: Thursday, March 11, 2010 - [4]TROYAK-AS 
Starchenko Roman Fedorovich is dead again -" This AS is 
not currently used to announce prefixes in the global 
routing table, nor is it used as a visible transit AS. 11 

UPDATED: Troyak-as is now [5]AS44051 YA-AS 
Professional Communication Systems. 

[6]AS50215 Troyak-as, the cybercrime-friendly virtual 
neighborhood that was a key component in the hosting 

infrastructure for all of the Zeus-crimeware serving 
campaigns during Q1 of 2010, has been taken offline, 
resulting in a pretty evident drop in Zeus C &Cs, according 
to this graph courtesy of the [7]ZeusTracker. 

AS50215 Troyak-as (ctlan.net; prombd.net) was of course 
the tip of the iceberg, directly or indirectly interacting with 
the following ASs: 

• AS31366 - smallshop-as Stebluk Vladimir 
Vladimirovich bid 

• AS44107 - PROMBUDDETAL-AS Prombuddetai LLC 

• AS50369 - VISHCLUB-as Kanyovskiy Andriy 

• AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 

• AS47560 - VESTEH-NET-as Vesteh LLC 

Don't pop the corks just yet, their customers, in particular 
their money mule recruitment customers are already 
migrating to the competition. 

From a cybercriminal's perspective, such minor operational 
glitches don't undermine the business model. Sadly, it's 
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more cost-effective to build a new botnet, compared to 
trying to gain access to the old one. What truly undermines 
their business model is their inability to utilize the 
monetization vector. 

AS50215 TROYAK-AS Starchenko Roman Fedorovich 
activity during Ql, 2010: 

[8] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[11] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14Jon Twitter. 

1. http://cidr-report.or a/ca i-bin/as-report?as=AS50215 
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6. http://www.abuse.ch/7p = 2417 

7. https://zeustracker.abuse.ch/monitor. oh p?filter=on line 

8. http://ddanchev.blo as pot.com/2QlQ/01/outlook-web- 
access-themed-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/2QlQ/Ql/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/2QlQ/Q2/photoarchive- 
crimewareclient-side.html 


11. http://ddanchev.blo as pot.com/2Q10/Q2/tax-report- 
themed-zeusclient-side.html 


12. http://ddanchev.blo as pot.com/2QlQ/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


13. http://ddanchev.blo as pot.com/ 

14. http://twitter.com/danchodanchev 
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Money Mule Recruiters on Yahool's Web Hosting 
(2010-03-11 20:41) 

UPDATED: Saturday, March 13, 2010 - Yahoo! Web 
Hosting abuse just pinged me that 11 We have investigated 
the sites and taken the necessary action". 

Just how dumb, or perhaps ingenious is a cybecriminal that 
would host his money mule recruitment opera- 






























tions using Yahool's Web Hosting services? Is the reputable 
hosting location, worth the risk of having their campaigns 
taken down much easily than if there were hosting them on 
the bad reputation block, and would have never bothered 
replying to abuse notifications? 

Whatever the motivation of the people behind this money 
mule recruitment campaign, they are currently us¬ 
ing Yahoo! Web Hosting. Domains in question, including 
contact details: 
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- Reed Financial Services - reed-fs.com - 68.180.151.74 
555 11th St NW 

Washington, DC 20004 
Phone numbers: 

(866) 863-6438 
(202) 355-6678 (FAX) 
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- Stevens Financial Solutions - stevensfs.com - 
98.136.50.138; 69.147.83.187; 69.147.83.188 

Postal address: 


Stevens Financial Solutions 


Bahnhofstrasse 32 


CH-8001 Zurich, Switzerland 
Value Added Tax Nr.: 428 643 
Phones and fax no's: 

Phone: +41 (43) 219-2551 

Fax 1: +41 (43) 219-2551 

Fax 2: +1 (866) 703-7622 US Toll-Free 

- Waters & Co. LLP - watersllp.com - 216.39.57.104 
400 East Pratt Street, 

Baltimore, MD 21202 
United States 
Phone numbers: 

(443) 524-9221 
(443) 524-9221 (FAX) 
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- Nilson Financial Solutions - nilson-fs.com - 98.136.92.76; 
98.136.92.77; 98.136.92.78 

Nilson Financial Solutions 


Bahnhofstrasse 32 


CH-8001 Zurich, Switzerland 

Value Added Tax Nr.: 428 643 

Phones and fax no's: 

Phone: +41 (43) 219-2551 

Fax 1: +41 (43) 219-2551 

Fax 2: +1 (866) 472-0560 US Toll-Free 

Upon submitting the personal details, the potential money 
mule is required to send a scanned copy of their 

ID or driving license: 

• 11 Familiarize yourself with all clauses of the contract. Fill 
the contract and send us a scanned copy of it to the email 
address info@watersllp.com or by fax: (443) 524-9221. The 
contract becomes valid from the moment of the reception of 
the correctly filled copy of the contract. You should be 
familiar with that the validity of the contract in the 
electronic form is completely identical to the contract 
signed at personal presence of both parties.* To pass the 
procedure of identity verification in order to prevent 
fraudulent registrations, you are required to send a scan of 
valid ID or a driving license to the e-mail: 
info@watersllp.com or by fax: (443) 524-9221. We 
guarantee full confidentiality of your personal information, 
more information on this matter you will find in our Privacy 
Policy PLEASE LET US KNOW BY EMAIL WHEN YOU WILL FAX 
BACK/EMAIL AS ATTACHEMENT THE CONTRACT AND 

APPLICATION FORM WITHIN 48 HOURS. " 
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Yahool's Web Hosting abuse team has been notified of the 
campaigns, and will nuke the offline a.s.a.p 

Related coverage of money laundering in the 
context of cybercrime: 

[1] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[3] Keeping Reshipping Mule Recruiters on a Short Leash 

[4] Keeping Money Mule Recruiters on a Short Leash 

[5] Standardizing the Money Mule Recruitment Process 

[6] lnside a Money Laundering Group's Spamming 
Operations 

[7] Money Mule Recruiters use ASProx's Fast Fluxing Services 

[8] Money Mules Syndicate Actively Recruiting Since 2002 
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mule-recruiters-on-short.html 

5. http://ddanchev.blo as pot.com/20Q9/lQ/standardizin a- 
monev-mule-recrujtment.html 

6. http://ddanchev.blo as pot.com/2QQ9/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

7. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

8. http://ddanchev.blo as pot.com/2QQ8/lQ/monev-mules- 
s vndicate-activelv.html 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Scareware, Sinowal, Client-Side Exploits Serving 
Spam Campaign in the Wild (2010-03-13 00:17) 

AS50215 Troyak-as customers are back, with an ugly mix 
of scareware, sinowal, and client-side exploits serving 
campaign using the " You don't have the latest version of 
Macromedia Flash Player 11 theme. Quality assurance is also 
in place this time, with the client-side exploit serving 
domains using a well known "[1] function nerot' 
obfuscation technique in an attempt to bypass link 
scanners. 

Let's dissect the campaign, list all the typosquatted and 
spamvertised domains, the client-side exploit serving 
iFrames and the actual scareware. 





























Sampled 

URLs 

archives 

.wesh.kr/archive0715/?id=test@test.com; 

anonymousfiles 

.wesh.or.kr/archive0715/?id=test@test.com. 
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Spamvertised and typosquatted currently active domains 
include: 

enyg.ne.kr - Email: EneesC9563@hotmail.com 
enyk.ne.kr - Email: EneesC9563@hotmail.com 
enyz.ne.kr - Email: EneesC9563@hotmail.com 
enyg.kr - Email: EneesC9563@hotmail.com 
enyk.kr - Email: EneesC9563@hotmail.com 
enyg.co.kr - Email: EneesC9563@hotmail.com 
enyk.co.kr - Email: EneesC9563@hotmail.com 
enyt.co.kr - Email: EneesC9563@hotmail.com 
enyz.co.kr - Email: EneesC9563@hotmail.com 
enyg.or.kr - Email: EneesC9563@hotmail.com 
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K 

enyk.or.kr - Email: EneesC9563@hotmail.com 
enyt.or.kr - Email: EneesC9563@hotmail.com 
enyz.or.kr - Email: EneesC9563@hotmail.com 
enyt.kr - Email: EneesC9563@hotmail.com 
enyz.kr - Email: EneesC9563@hotmail.com 
erase.co.kr - Email: PalacidoL6860@hotmail.com 
erase.ne.kr - Email: PalacidoL6860@hotmail.com 
erase.or.kr - Email: PalacidoL6860@hotmail.com 
erasm.co.kr - Email: PalacidoL6860@hotmail.com 
erasm.kr - Email: PalacidoL6860@hotmail.com 
erasm.ne.kr - Email: PalacidoL6860@hotmail.com 
erasm.or.kr - Email: PalacidoL6860@hotmail.com 
erasv.co.kr - Email: PalacidoL6860@hotmail.com 
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erasv.kr - Email: PalacidoL6860@hotmail.com 
erasv.ne.kr - Email: PalacidoL6860@hotmail.com 
erasv.or.kr - Email: PalacidoL6860@hotmail.com 
erasw.co.kr - Email: PalacidoL6860@hotmail.com 


erasw.kr - Email: PalacidoL6860@hotmail.com 
erasw.ne.kr - Email: PalacidoL6860@hotmail.com 
erasw.or.kr - Email: PalacidoL6860@hotmail.com 
wesc.ne.kr - Email: PalacidoL6860@hotmail.com 
wese.co.kr - Email: PalacidoL6860@hotmail.com 
wese.kr - Email: PalacidoL6860@hotmail.com 
wese.or.kr - Email: PalacidoL6860@hotmail.com 
wesh.co.kr - Email: PalacidoL6860@hotmail.com 
wesh.kr - Email: PalacidoL6860@hotmail.com 

wesh. or.kr - Email: PalacidoL6860@hotmail.com 

wesi. co.kr - Email: PalacidoL6860@hotmail.com 
wesi.kr - Email: PalacidoL6860@hotmail.com 
wesi.or.kr - Email: PalacidoL6860@hotmail.com 
wesw.co.kr - Email: PalacidoL6860@hotmail.com 
wesw.kr - Email: PalacidoL6860@hotmail.com 
wesw.ne.kr - Email: PalacidoL6860@hotmail.com 
wesw.or.kr - Email: PalacidoL6860@hotmail.com 
Name servers of notice: 

nsl.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net 



nsl.welcomhell.com - 74.117.63.218 - Email: 
klincz@aol.com 

nsl.skcstaff.com - 87.117.245.9 - Email: 
staffing@skhomes.com 

nsl.limeteablack.net - 87.117.245.9 - Email: 
doofi@usa.com 

Upon visiting the spamvertised links, the cybercriminals are 
then enticing the user into manually downloading 

update.exe - [2]Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - 
Result: 10/42 (23.81 %). 

The sample phones back to the following location, 
downloading the actual scareware (setup.exe - 
[3]Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96 %) ), 
and ensuring the the cybercriminals phone back with the 
affiliate ID to confirm a successful installation: 

- gotsaved.cn/css/ void/crcmds/main - 91.212.132.7 - 
Email: georgelem@xhotmail.net 

gotsaved.cn/css/ _void/srcr.dat 

gotsaved.cn/css/ void/crcmds/install 

gotsaved.cn/css/ void/crfiles/serf 

gotsaved.cn/css/ _void/crcmds/builds/bbr 

gotsaved.cn/css/ _void/crfiles/bbr 

gotsaved.cn/css/ _void/knock.php 

gotsaved.cn/css/ void/crcmds/extra 



- automaticallyfind.org/?gd = KCo7MD8uPS4iPA= = 
&affid=XF5W &subid=AQoY &prov= &mode=cr &v=6 
&newref= 1 

- 69.39.238.101 - Email: larrypenn@xhotmail.net 

automaticallyfind.org/?gd = KCo7MD8uPS4iPA= = 
&affid=Wg== &subid=GwocGwEEHQ== &prov= 
&mode=cr 

&v=6nkr 
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beinahet.com/readdatagateway. php?type=stats 

&affid=319 

&subid=new 

&version=3.0 

&adwareok 


193.169.234.30 - Email: Vrapus.Kamat@gmail.com 

- mega-fast.org/page2/setup - 91.212.132.8 - Email: 
Vrapus.Kamat@gmail.com 

mega-fast.org/page2/setup0 

Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 

(gotsaved.cn) are also: 


airportweb.cn - Email: JoannaWilhelm@xhotmail.net 
gotsaved.cn - Email: georgelem@xhotmail.net 
gotsick.cn - Email: georgelem@xhotmail.net 
gottired.cn - Email: georgelem@xhotmail.net 
gotunderway.cn - Email: georgelem@xhotmail.net 
gotupset.com - Email: DianaFister@xhotmail.net 
methodsweb.com - Email: bryantlew@xhotmail.net 
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net 
prima-fast.org - Email: Vrapus.Kamat@gmail.com 
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net 
quickfreescan.org - Email: GrantPursell@xhotmail.net 
scanerborn.cn - Email: KristinDunton@xhotmail.net 
scanerexcuse.cn - Email: KristinDunton@xhotmail.net 
scanernurse.cn - Email: KristinDunton@xhotmail.net 
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scanerwhatever.cn - Email: KristinDunton@xhotmail.net 
senateweb.com - Email: bryantlew@xhotmail.net 
webdocuments.cn - Email: JoannaWilhelm@xhotmail.net 


Parked on 69.39.238.101 (automaticallyfind.org) are 
also: 

guysfind.org - Email: larrypenn@xhotmail.net 

automaticallyfind.org - Email: larrypenn@xhotmail.net 

findalternate.org - Email: larrypenn@xhotmail.net 

As we've already seen in previous campaigns, each and 
every domain is embedded with an iFrame, which this time 

behaves differently, much more covertly than the one used 
before, ylwgheakrozn.com /ld/novl/ - 66.135.37.211 - 

Email: getilakll@yahoo.com would attempt to load the 
following: 

-ylwgheakrozn.com /nte/novl.php 

- ylwgheakrozn.com /nte/avorplnovl.py 

-ylwgheakrozn.com /nte/NOVl.py 

• The folks at FireEye have covered the M [4]function 
nerot" in depth in January, 2010, and have analyzed a 
campaign using a similar structure as the current one 



But would also attempt to load the nonexistent: 

- ylwgheakrozn.com /nte/AVORPlNOVl.exe 
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cccgchkvhttcom 



-ylwgheakrozn.com /nte/NOVl.exe 


AS13768 





-ylwgheakrozn.com /nte/NOVl.asp 

-ylwgheakrozn.com /nte/NOVl.html 

The campaign ultimately serves [5]Backdoor.Sinowal.DJ; 
Result: 

15/42 (35.71 %) through an obfuscated 

[ 6] Exploit.PDF-JS.Gen - Result: 18/42 (42.86 %). 

Parked on same IP where the iFrame domains is, is the 
remaining portfolio of domains presumably prepared 

for rotation, in fact some of them are already involved in 
malicious activity. 

At 69.174.245.148; 75.125.212.58; 66.135.37.211; 
190.120.228.44 and 76.74.238.94 is the rest of the client- 

side exploits serving domains portfolio: 

aabtiktadve.com - Email: adminhhhPolego@hotmail.com 
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acdcwnbathrcom 



acdcwpbathr.com - Email: vikolr5ty@yahoo.com 
acdlsvladve.com - Email: ade45Meehan4@yahoo.com 
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com 
balhimana.com - Email: Malachowski@yahoo.com 
dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com 




ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com 
ddewphwddve.com - Email: W-Leetl210@yahoo.com 
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com 
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com 
diaiscjdthr.com - Email: Nelsondwer4@yahoo.com 
ejsinlbyidid.com - Email: nerForbes09@yahoo.com 
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fgdchevuno.net - Email: 22232344sad22blyj@msanz.com 

fgnmgojuno.com - Email: 2223234422awbyj@msanz.com 

fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com 

ghedifauno.com - Email: 2223234422asdlbyj@msanz.com 

ghtsuumuno.com - Email: 
222323442qwle2byj@msanz.com 

hdewptwhdve.com - Email: zekoAdmin@yahoo.com 

hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com 

jcdcwxbjthr.com - Email: kovin78213@yahoo.com 

jefshosjdve.com - Email: Computer66Heads@yahoo.com 

kbclyokkthr.com - Email: admHalliday666@yahoo.com 

kdvarmgibtp.com - Email: aatrganzlO@yahoo.com 

lbckqbkldve.com - Email: W-Leetl210@yahoo.com 



mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com 
mghvegumthr.com - Email: eeeDalmanbei@yahoo.com 
mjisuvrmthr.com - Email: domainHodge2@hotmail.com 
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pdecaxcpdve.com - Email: Computer66Heads@yahoo.com 


pfgeeeepdve.com - Email: admndomsalel2@yahoo.com 
pfgfgdepthr.com - Email: finsky777admin@gmail.com 
pfgoykopdve.com - Email: Wildeysgh67@yahoo.com 
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com 
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com 
qabaqbyqthr.com - Email: admHalliday666@yahoo.com 
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com 
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com 
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com 
qghgixfqthr.com - Email: NguyenlO@gmail.com 
qghkqfkqdve.com - Email: adminsales@yahoo.com 
qghpbapqdve.com - Email: qwMeier34ed@hotmail.com 
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com 
qhjcwfbqthr.com - Email: asVeles45@hotmail.com 
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qlpkoxmdzxsb.com - Email: 
QLPKOXMDZXSB.COM@domainservice.com 

sjidamcsthr.com - Email: Gallippihu67@yahoo.com 

sjinfcmsthr.com - Email: 
domainadmin@navigationcatalyst.com 

tbcpbxptdve.com - Email: hotersl2admin@yahoo.com 



tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com 

thjgjcgtdve.com - Email: Harrisasasd@yahoo.com 

tiashostdve.com - Email: aaLehmann34s@yahoo.com 

ubcvesuuthr.com - Email: kovin78213@yahoo.com 

uefxrwxudve.com - Email: admndomsalel2@yahoo.com 

wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com 

yvbbpgrixovr.com - Email: dioSinghl2@yahoo.com 

Monitoring of the campaign is ongoing, updates will be 
posted as soon as new developments emerge. 

Related Troyak-as activity and previous campaigns 
maintained by their customers: 

[7] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 

[8] Outlook Web Access Themed Spam Campaign Serves Zeus 
Crimeware 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[11] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 



This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter. 

1. http://blo a .fireeve.com/research/2010/01/odf- 
obfuscation.html 

2 . 

http://www.virustotal.com/analisis/13deb97feb24884914143 

139fel73fleefe63c6blb40d95b48c835455el810af-12684 
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3. 

http://www.virustotal.com/analisis/0fa30043f45fe0e9f7fd64b 

Ie9440b8ea7eca8431b73388fll84c3ee83b2335a-12684 

23943 

4. http://blo a .fireeve.com/research/201Q/01/pdf- 
obfuscation.html 

5. 

http://www.virustotal.com/analisis/78df316892ec75fb2dl7b 

9a589aed980771bcc6349325f02fl007b21e7d850ba-12684 

19059 

6 . 

http://www.virustotal.com/analisis/db46413231ea9bed8f4d8 

b40bc820ae7015ac9e6226c9ffe996fef975128b511-12684 

33015 
























7. http://ddanchev.blo as oot.com/2010/03/as50215-trovak- 
as-taken-off1ine-zeus-c.html 


8. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/2010/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


11. http://ddanchev.blo as pot.com/2010/02/tax-reoort- 
themed-zeusclient-side.html 


12. http://ddanchev.blo as pot.com/2010/02/keeoin a -mone v- 
mule-recruiters-on-short.html 


13. http://ddanchev.blo as oot.com/ 

14. http://twitter.com/danchodanchev 
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Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova (2010-03-15 13:51) 































Just how greedy has the Koobface gang become these days? 
Very greedy. 

In fact, their currently active scareware campaigns operate 
with a changed directory structure that speaks for 

itself - scareware-domain/feel/index.php? 

GREED = = random _characters. Let's dissect the scareware 
monetization vector, expose the entire typosquatted 
domains portfolio, and offer a historical OSINT perspective on 
their activities during February, 2010. 

• The domain portfolios are in a process of getting suspended 

The current portfolio of redirectors embedded on Koobface- 
infected hosts is parked at 195.5.161.129, AS43558, 

EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, 
Republic of Moldova: 

tvinyourpc.com - Email: test@now.net.cn 
wheretosellford.com - Email: test@now.net.cn 
weddings-sales-place.com - Email: test@now.net.cn 
chromepluginsfree.com - Email: test@now.net.cn 
checkwebtriple.com - Email: test@now.net.cn 
partypartytime.com - Email: test@now.net.cn 
yourblog2blog.com - Email: test@now.net.cn 
microstoreblog.com - Email: test@now.net.cn 
mexicomaxtravel.com - Email: info@montever.de 



fulllife2photo.com - Email: test@now.net.cn 
yourmaximumphoto.com - Email: test@now.net.cn 

lineagecheatandbug.com - Email: test@now.net.cn 
titansandgods.com - Email: test@now.net.cn 
microsoftbugtracks.com - Email: test@now.net.cn 
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checkwebtrlple.com 



secureyourinfos.com - Email: test@now.net.cn 
weddingiephotos.com - Email: test@now.net.cn 






parkeroffers.com - Email: test@now.net.cn 
nocderrors.com - Email: test@now.net.cn 

androidmobilereviews.com - Email: test@now.net.cn 
terraanews.com - Email: test@now.net.cn 
getbestshows.com - Email: test@now.net.cn 
videostvshows.com - Email: test@now.net.cn 
besttvshowininternet.com - Email: test@now.net.cn 
titanicoverlight.com - Email: test@now.net.cn 
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The scareware domains portfolio is currently parked on 
195.5.161.117, AS43558, EVENTISMOBILE-AS IM "Eventis- 






















Mobile" SRL Chisinau, Republic of Moldova: 
be-protected-lO.info - Email: harkitrip@ymail.com 
be-protecteda.info - Email: harkitrip@ymail.com 
be-protectedc.info - Email: harkitrip@ymail.com 
be-protectedi.info - Email: harkitrip@ymail.com 
be-protected-i8.info - Email: harkitrip@ymail.com 
be-protectedk.info - Email: harkitrip@ymail.com 
be-protected-IO.info - Email: harkitrip@ymail.com 
be-protected-ll.info - Email: harkitrip@ymail.com 
be-protected-tl.info - Email: harkitrip@ymail.com 
be-protectedy.info - Email: harkitrip@ymail.com 
be-secured-al.info - Email: harkitrip@ymail.com 
be-secured-b2.info - Email: harkitrip@ymail.com 
be-secured-c6.info - Email: harkitrip@ymail.com 
be-secured-d9.info - Email: harkitrip@ymail.com 
be-secured-zl.info - Email: harkitrip@ymail.com 
capital-securityl.info - Email: goninanbiz2@ymail.com 
capital-security2.info - Email: goninanbiz2@ymail.com 
capital-security6.info - Email: goninanbiz2@ymail.com 
capital-securitya.info - Email: goninanbiz2@ymail.com 



capital-securityc.info - Email: goninanbiz2@ymail.com 
capital-securitye.info - Email: goninanbiz2@ymail.com 
capital-securityt.info - Email: goninanbiz2@ymail.com 
general-protectionO.info - Email: goninanbiz2@ymail.com 
general-protectionl.info - Email: goninanbiz2@ymail.com 
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general-protection4.info - Email: goninanbiz2@ymail.com 

general-protection9.info - Email: goninanbiz2@ymail.com 

how-to-secure-pcl.info - kramershoppers@yahoo.com 

help-you-nowO.info - Email: intrigo2@yahoo.com 

help-you-nowl.info - Email: intrigo2@yahoo.com 

help-you-now4.info - Email: intrigo2@yahoo.com 

help-you-now6.info - Email: intrigo2@yahoo.com 

help-you-now9.info - Email: intrigo2@yahoo.com 

• Consider going through M [l]The ultimate guide to 
scareware protection" and a [2]gallery of popular 
sea reware/fake security software brands 


pchelpserver.info - Email: vernotowersc2@googlemail.com 

pchelpservera.info - Email: 
vernotowersc2@googlemail.com 

pchelpserverz.info - Email: 
vernotowersc2@googlemail.com 

powersecurity09.info - Email: miscelli3@googlemail.com 
powersecurityc.info - Email: miscelli3@googlemail.com 
powersecurityt.info - Email: miscelN3@googlemail.com 
powersecurityy.info - Email: miscelN3@googlemail.com 
powerssoftwareO.info - Email: miscelli3@googlemail.com 
powerssoftwarel.info - Email: miscelli3@googlemail.com 
powerssoftware3.info - Email: miscelli3@googlemail.com 
powerssoftware6.info - Email: miscelli3@googlemail.com 
security-softwarec.info - kramershoppers@yahoo.com 
software-helpa.info - Email: hartin6@yahoo.com 
software-helpd.info - Email: hartin6@yahoo.com 
software-helpe.info - Email: hartin6@yahoo.com 
software-helpy.info - Email: hartin6@yahoo.com 
software-helpz.info - Email: hartin6@yahoo.com 
special-softwarel.info - Email: hartin6@yahoo.com 
special-software3.info - Email: hartin6@yahoo.com 



special-software7.info - Email: hartin6@yahoo.com 
special-software8.info - Email: hartin6@yahoo.com 
special-software*).info - Email: hartin6@yahoo.com 
specialwebhelpO.info - Email: hartin6@yahoo.com 
specialwebhelpl.info - Email: hartin6@yahoo.com 
specialwebhelp3.info - Email: hartin6@yahoo.com 
specialwebhelp5.info - Email: hartin6@yahoo.com 
specialwebhelp7.info - Email: hartin6@yahoo.com 
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Detection rates for scareware samples rotated over the past 
48 hours: 

- Setup _312s2.exe - [3]Trojan.Win32.FakeAVMK - Result: 
4/41 (9.76 %) 

- Setup _312s2.exe - [4]Trojan.Generic.KD.3549 - Result: 
4/41 (9.76 %) 

- Setup _312s2.exe - [5]Trojan.Generic.KD.3605 - Result: 
10/42 (23.81 %) 

- Setup _312s2.exe - [6]Packed.Win32.Krap.as - Result: 
6/41 (14.64 %) 

- Setup _312s2.exe - [7]Trojan.Crypt.XPACK.Gen2 - Result: 
6/42 (14.29 %) 

- Setup _312s2.exe - [8]Sus/UnkPack-C - 10/42 (23.81 %) 



The samples phone back to projectwupdates.com/ 
download/winlogo.bmp - 94.228.208.57 and cari- 

port.com/ ?b=312s2 - 89.248.168.21 
(psdefendersoft.com and antispywarelist.com also 
parked there) - Email: zooik52@hotmail.com. 

• Consider going through the 11 [9]10 things you didn't 
know about the Koobface gang " article 

Recent detection rates for Koobface components: 

- [10jfb.l01.exe - Result: 39/42 (92.86 %) 

- [ll]go.exe - Result: 7/42 (16.67 %) 

- [12Jpp.l4.exe - Result: 36/42 (85.72 %) 

- [13]v2bloggerjs.exe - Result: 39/42 (92.86 %) 

- [14]v2captcha21.exe - Result: 24/41 (58.54 %) 

- [15]v2newblogger.exe - Result: 23/41 (56.10 %) 

- [16]v2googlecheck.exe - Result: 36/41 (87.80 %) 

- [17]v2webserver.exe - Result: 26/42 (61.91 %) 

In respect the Koobface gang, as well as cybecrime in 
general, historical OSINT always offers an invaluable 

piece of the malicious puzzle of their campaigns, hosting 
providers, and the campaign structure making it easier to 
establish multiple connections between the rest of their non 
Koobface-botnet related campaigns. 

Here's a peek at the redirectors and scareware domains 
served during February. For more extensive assess- 



merit of their activities for February, go through the "[18] A 

Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors 

Courtesy of the Koobface Gang" post. 
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aolwheretogo.com 



Redirectors parked 91.212.132.242, AS49091, Interforum-AS 
Interforum LTD for February, 2010: 





amazing-4-fotos.com - Email: test@now.net.cn 
bbcadditionalguide.com - Email: test@now.net.cn 
brightonsales.com - Email: test@now.net.cn 
daily00photos.com - Email: test@now.net.cn 
daily6deals.com - Email: test@now.net.cn 
daily88news.com - Email: test@now.net.cn 
dellvideohacks.com - Email: test@now.net.cn 
discoverallnow.com - Email: test@now.net.cn 
discoverprivateinfo.com - Email: test@now.net.cn 
discoverprivatelife.com - Email: test@now.net.cn 
discoverprivatemail.com - Email: test@now.net.cn 
discoverprivatewebcams.com - Email: test@now.net.cn 
discoversecretdfacebook.com - Email: test@now.net.cn 
facebookfriendwatch.com - Email: test@now.net.cn 
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facebookreadmail.com - Email: test@now.net.cn 
free-amazon-coupon.com - Email: test@now.net.cn 
free-ebay-stuff.com - Email: test@now.net.cn 
free-secret-info.com - Email: test@now.net.cn 
getalestickets.com - Email: test@now.net.cn 



hightowerfisheye.com - Email: test@now.net.cn 

lenovovideohacks.com - Email: test@now.net.cn 

mymailbusiness.com - Email: test@now.net.cn 

private-O-photos.com - Email: test@now.net.cn 

seehiddenfacebook.com - Email: test@now.net.cn 

skyscrapeviews.com - Email: test@now.net.cn 

yahoobusinesstrip.com - Email: test@now.net.cn 

you22tube.com - Email: test@now.net.cn 

Scareware domains parked on 195.5.161.119, AS31252, 
STARNET-AS StarNet Moldova, for February, 2010: 

best-protectionO.info - Email: ware2mall@yahoo.com 

best-protection8.info - Email: ware2mall@yahoo.com 

bestprotectiona.info - Email: ware2mall@yahoo.com 

best-protectiona.info - Email: ware2mall@yahoo.com 

bestprotectione.info - Email: ware2mall@yahoo.com 

best-protectione.info - Email: ware2mall@yahoo.com 

best-protectionf.info - Email: ware2mall@yahoo.com 

megal-antivirus3.com - Email: test@now.net.cn 

megal-antivirus5.com - Email: test@now.net.cn 

megal-antivirus7.com - Email: test@now.net.cn 



megal-antivirus9.com - Email: test@now.net.cn 

megal-scanner5.com - Email: test@now.net.cn 

megal-scanner7.com - Email: test@now.net.cn 

smartsecurityO.info - Email: neeceheight@yahoo.com 

smartsecurityl.info - Email: neeceheight@yahoo.com 

smart-securityl.info - Email: neeceheight@yahoo.com 

smartsecurity2.info - Email: neeceheight@yahoo.com 

smartsecurity7.info - Email: neeceheight@yahoo.com 

smartsecuritya.info - Email: neeceheight@yahoo.com 

smartsecurityd.info - Email: neeceheight@yahoo.com 

smart-securityo.info - Email: neeceheight@yahoo.com 

super2-antivirus.com - Email: neeceheight@yahoo.com 

super2-antivirus2.com - Email: neeceheight@yahoo.com 

ver2-scanner.com - Email: test@now.net.cn 

ver2-scanner2.com - Email: test@now.net.cn 

ver2-scanner4.com - Email: test@now.net.cn 

Persistence must be met with persistence. The domain 
portfolios are in a process of getting suspended, an 

update will posted as soon as this happens. 

Related Koobface gang/botnet research: 



[ 19] 10 things you didn't know about the Koobface gang 

[20] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[21] How the Koobface Gang Monetizes Mac OS X Traffic 

[22] The Koobface Gang Wishes the Industry "Happy 
Holidays" 
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[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[24] Koobface Botnet Starts Serving Client-Side Exploits 

[25] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[26] Koobface Botnet's Scareware Business Model - Part Two 

[27] Koobface Botnet's Scareware Business Model - Part One 

[28] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[29] New Koobface campaign spoofs Adobe's Flash updater 

[30] Social engineering tactics of the Koobface botnet 

[31] Koobface Botnet Dissected in a TrendMicro Report 

[32] Movement on the Koobface Front - Part Two 

[33] Movement on the Koobface Front 

[34] Koobface - Come Out, Come Out, Wherever You Are 



[35]Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [36]Dancho Danchev's 
blog. Follow him [37Jon Twitter. 

1. http://blo a s.zdnet.com/securit v/7 p=4297 

2. http://content.zdnet.com/2346-12691 22-342083.html 

3. 

http://www.virustotal.com/analisis/4e62aff9b6612090a088ab 

dlf31817a4582ed9e2ad81cd456f2e536d71fd0ad2-12684 

11269 

4. 

http://www.virustotal.com/analisis/0bd309172eacda58255cf 

35e6be6c2a9942056597el2el24d2df2cf27ca7dafd-12684 

36536 

5. 

http://www.virustotal.com/analisis/4681a237851bfcf0e785d3 

841a77b9c5fl86067dc0218edb96457552046d7a91-12684 

92213 

6 . 

http://www.virustotal.com/analisis/66a853d9ba6add77254ee 

ba4cad01c30d0e9f09778adbb978fdad84d27566f29-12685 

18041 


7 . 


















http://www.vi rustotal.com/analisis/f2bb5d8db53fQ05fb30f6d 

e99al2a9a8aee9df871b7357a0flfd72f69abfe666-12685 

85736 

8 . 

http://www.virustotal.com/analisis/2021aeecdl66da3d87ecl 

7a403d7df89491dcac9d5b59295325d08fd52470dac-12685 

97879 

9. http://blo a s.zdnet.com/securit v/? o = 5452 

10 . 

http://www.virustotal.com/analisis/51b56df5ed2c9815b855c 

220001ff8ell8acQdddf4d47b377cf530156dca2b09-12684 

37394 

11 . 

http://www.virustotal.com/analisis/ef700b4cda22ba9fcl2076 

fdb3cdb3aaa6ed5734ac72a8c9bcd5220916b096f3-12684 

37400 

12 . 

http://www.virustotal.com/analisis/028af4fb82d77ba522799 

aba7e7d37df015a7ee99c6253a82bd4b5153b0d55a2-12684 

37402 

13. 

http://www.virustotal.com/analisis/0fe50ee612678361761b2 

26cf8def51c9101ddd80fbbaf567a782df7026bc464-12684 


37406 























14. 

http://www.vi rustotal.com/analisis/1123ef7613f92e64c61d0f 

beff2e93clbbdfb7a005cf967628daffc77bd06f5b-12684 

37471 

15. 

http://www.virustotal.com/analisis/af43db7c6alccl60fb6465 

9979a274fe205dd6cd2dac832ea4f08dcl8d5fc4b5-12684 

37483 

16. 

http://www.virustotal.com/analisis/187ee3a40da932718df09 

8blg§fj >>o7b..»:i^--.n81288ad5199453396baa735ae70-12684 

37474 

17. 

http://www.virustotal.com/analisis/1108276c9773c9Qd617a9 

6603981624160ri8948e6992038eca7826f7700dc397- 

12684 

37594 

18. http://ddanchev.blo as pot.com/2010/02/diverse-portfolio- 
of-scarewareblackhat.html 

19. http://blo a s.zdnet.com/securit v/? p=5452 

20. http://ddanchev.blo as pot.com/2010/Q2/diverse-portfolio- 
of-scarewareblackhat.html 
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21. http://ddanchev.blo as pot.com/2010/Q2/how-koobface- 
a an a -monetizes-mac-os-x.html 





























22. http://ddanchev.blo as pot.com/20Q9/12/koobface- a an a- 
wishes-industrv-ha op v.html 


23. http://ddanchev.blo as oot.com/2009/12/koobface- 
friendlv-riccom-ltd-as29550.html 

24. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -client.html 

25. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

26. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


27. http://ddanchev.blo as pot.com/2009/Q9/koobface- 
botnets-scareware-business.html 


28. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooksHP.html 

29. htto://blo a s.zdnet.com/securit v/? o=4594 

30. http://content.zdnet.com/2346-12691 22-352597.html 

31. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
dissected-in-trendmicro.html 


32. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 

33. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front.html 


34. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 















































35. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 


36. http://ddanchev.blo as oot.com/ 

37. http://twitter.com/danchodanchev 
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The Current State of the Crimeware Threat (2010-03- 
20 17:05) 

With [l]Zeus crimeware infections reaching epidemic levels, 

[2] two-factor authentication under fire, and the actual 

[3] DIY (do-it-yourself) kit becoming more sophisticated, it's 
time to reassess the situation by discussing the current and 
emerging crimeware trends. 

What's the current state of the crimeware threat? Just how 
vibrant is the underground marketplace when it 











comes to crimeware? What are ISPs doing, and should ISPs be 
doing to solve the problem? Does taking down a 

cybercrime-friendly ISP has any long term effects? 

I asked [4]Thorsten Holz, researcher at Vienna University of 
Technology, whose team not only participated in 

the recent [5]takedown of the Waledac botnet, but 
[6]released an interesting paper earlier this year, 
summarizing their findings based on 33GB of crimeware data 
obtained from active campaigns. 

• [7]The current state of the crimeware threat - Q &A 

Go through the Q &A. 

Related posts on crimeware kits, trends and 
developments: 

[8] Crimeware in the Middle - Zeus 

[9] Crimeware in the Middle - Limbo 

[10] Crimeware in the Middle - Adrenalin 

[11] 76Service - Cybercrime as a Service Going Mainstream 

[12] Zeus Crimeware as a Service Going Mainstream 

[13] Modified Zeus Crimeware Kit Comes With Built-in MP3 
Player 

[14] Zeus Crimeware Kit Gets a Carding Layout 

[15] The Zeus Crimeware Kit Vulnerable to Remotely 
Exploitable Flaw 
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[ 16]Help! Someone Hijacked my 100k+ Zeus Botnet! 

[17] lnside a Zeus Crimeware Developer's To-Do List 

Zeus crimeware serving campaigns for Ql, 2010, 
related to TROYAK-AS: 

[18] TROYAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[19] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 

[20] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[21] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[22] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[23] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two[25] 

This post has been reproduced from [26]Dancho Danchev's 
blog. Follow him [27Jon Twitter. 

1. http://blo a s.zd net.com/securi t v/? p = 5365 

2. http://blo a s.zdnet.com/securit v/7 p=4402 

3. http://www.secureworks.com/research/threats/zeus/ 









4. http://honevblo a.org/ 


5. http://honevblo a .or a /archives/52-Waledac-Takedown- 
Successfui.html 

6. http://honevblo a .or g /archives/48-Stud vina -Aspects-of-the- 
Under a round-Econornv.html 

7. http://blo a s.zd net.com/securit v/? p = 5797 

8. http://ddanchev.blo as pot.com/2008/Q4/crimeware-in- 
middle-zeus.html 


9. http://ddanchev.blo as pot.com/2009/03/crimeware-in- 
middle-limbo.html 


10. http://ddanchev.blo as pot.com/2009/Q2/crimeware-in- 
middle-adrenalin.html 


11. http://ddanchev.blo as pot.com/2008/08/76service- 
c vbercrime-as-service- a oin a .html 

12. http://ddanchev.blo as pot.com/20Q8/12/zeus-crimeware- 
as-service- a oin a .html 

13. http://ddanchev.blo as pot.com/2008/Q9/modified-zeus- 
crimeware-kit-comes-with.html 


14. http://ddanchev.blo as pot.com/20Q8/ll/zeus-crimeware- 
kit- g ets-cardin a -lavout.html 

15. http://ddanchev.blo as pot.com/2008/Q6/zeus-crimeware- 
kit-vulnerable-to.html 


16. http://ddanchev.blo as pot.com/2009/Q2/help-someone- 
hii acked-mv-100k-zeus.html 






















































17. http://ddanchev.blo as pot.com/2009/Q4/inside-zeus- 
crimeware-developers-to-do.html 

18. http://blo a s.zdnet.com/securit v/? p=5761 

19. http://ddanchev.blo as pot.com/2010/03/as5Q215-trovak- 
as-taken-off1ine-zeus-c.html 


20. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

21. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


22. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


23. http://ddanchev.blo as pot.com/2010/Q2/tax-report- 
themed-zeusclient-side.html 


24. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


25. http://ddanchev.blo as pot.com/2010/Q2/tax-report- 
themed-zeusclient-side.html 


26. http://ddanchev.blo as pot.com/ 

27. http://twitter.com/danchodanchev 
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* toe Company Project* Amtykt [1*1 


About the Company 


Welcome to the world of Outto/onj Never has a phenomenon bean to afl 
encompassmg artd empowemo Ike outsourcing. Transcendng beyond an ndusttys 
vtftcjl segments, outsourcing bat become the *by defat*' strategy for al prof* 
conscious orgaruabons that struggle to recam the* wnwg streak and hgh 
pr oftabkty Today's scenario rt the business world it mora oompabtiva ttvan what « was 
tn the past. Thara it a growing reabtabon that wisdom has n consobdatng tha core 
cempattncy functions and outsourong tha sup plem e nt. We ara an onAna same as 
marketplace n USA and Austraba. Our ooal is to empower busmassas with tha absolute 
freedom to choose whara to outsourca thaa busness naads to maomue the* 
competitive advantage. Wa bebeve that *monay savad due to outsourcing can ba 
effectrvefy and suocestfr*y utAzed to focus mora on strata?* and cora busa>assas 
kMfiOM*. 

Our service 

IT Programmer* 

• Customer Sarvicas 

• Cal Cent art 

e Bad Office Functions 

• Parted 

• Software Development 

• Web programmers 

• Grapfecs & document conversions 

You can easdy And freel a ncer* and sconce Arm* from us, tnda, Austraba. Rutva. 
Romania. Ufcrane. UK, Phfogne, Motdeva and other countries. Why watte your preoous 
tme n Andrvg sennee provider when they are looting for you. Send us your seme* 
requrements a* project and let professional freelancers and service Arms compete 
UtAze T»#a Group Inc as the platform to outsource al your busmess needs. As an 
efAoent onhne outsourong facAtator. TNN Group Inc bmps together burrers and service 
providers. It helps the buyer* with the freedom to choose professional freelancers and 
service Arms to whom they can outsource thee busmett needs to maxsnue thee 
c o mpet i t i ve advantage 

Our buseiess modal writ help buyers access world-das* talent to dame maxmum 
advantage ei terms of faster development cycle, shorter detvery schedules, fogh quatty 


Featured Analytics 

9 for it service* 



freUence Omgrwr for 

i* M»>i» ;::0 


P ev e tapmere, Deegn endror 


Keeping Money Mule Recruiters on a Short Leash - 
Part Three (2010-03-20 23:14) 

UPDATED: 7 minutes after notification, EUROACCESS 
responded that the IPs mentioned within the AS " have been 
blackholed for the time being until a confirmation of cleanup 
has been received from the customer. " 
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augment-group.com 

85.12.46.96 

augmentgroup.net 

85.12.46.96 

augment-groupmain. tw 

85.12.46.95 

amplitude-groupmain .net 

85.12.46.243 

asperitygroup.net 

85.12.46.95 

asperity-group.com 

85.12.46.95 

altitude-groupli.com 

85.12.46.95 

celeritygroupmain.tw 

85.12.46.95 

celerity-groupmain. net 

85.12.46.96 

celerity-groupmain.tw 

85.12.46.95 

impact-groupinc.net 

85.12.46.95 

impact-groupnet. com 

85.12.46.95 

excel-groupsvc.com 

85.12.46.95 

fecunda-group.com 

85.12.46.96 

f ecunda-groupmain. net 

85.12.46,95 

f ecunda-groupmain. tw 

85.12.46.95 

foreaim-group.com 

85.12.46.95 

foreaimgroup.net 

85.12.46.96 

golden-gateinc.com 

85.12.46.95 

golden-gateco.net 

85.12.46.96 

luxor-groupco.tw 

85.12.46.96 

luxor-groupinc.tw 

85.12.46.96 

synapse-groupinc. tw 

85.12.46.95 

synapse-groupf ine. net 

85.12.46.96 

synapsegroupli.com 

85.12.46.96 

spark-groupsvc. com 

85.12.46.96 

tnmgroupsvc.net 

85.12.46.96 

tnmgroupinc.com 

85.12.46.95 

westendgroupsvc.net 

85,12.46,96 


It's a fact. However, in less than a minute the money mule 
recruitment gang moved the domains from the now 

blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243 
85.12.46.244; 85.12.46.245 to 85.12.46.95 and 
85.12.46.96. 

These, including the crimeware and the scareware IPs, are 
now also blackholed. Let's see what the gang will 

do next. 

The cybercriminals you know, are better than the 
cybercriminals you don't know. They can be typosquatting, 

or changing their hosting providers, but they can't escape. 



The money mule recruiters profiled in M [l]Keeping Money 
Mule Recruiters on a Short Leash" and in "[2]Keeping Money 
Mule Recruiters on a Short Leash - Part Two" are now 
switching hosting to AS34305, EUROACCESS Global 
Autonomous System - the [3]Koobface gang was also 
using their services during the Christmas season. 

The gang appears to have also purchased new templates 
using new, but naturally, bogus descriptions of the 

money mule recruitment companies. It gets even more 
interesting, when one of the domains ([4]greatuk.org) 
participating in a Zeus crimeware campaign within 
AS34305, has been registered to hilarykneber@yahoo.com 

([5]The Kneber botnet - FAQ). 

An excerpt from [6]The Kneber botnet - FAQ on the 

Koobface gang connection: 

• The name servers used in [7]December, 2009's DocStoc 
scareware campaign, were registered using the same 
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email used to register the [8]client-side exploit serving 
domains part of the Koobface gang's experiment conducted 
in November, 2009. Parked on the same IP hosting the 
domain which was serving the malware in the 

campaign, was also the a domain registered to 
HilaryKneber@yahoo.com (search-results .cn) Even more 
interesting is the fact that the emails used to registered the 
rest of the domains parked at this IP, are also known to have 
been used in registering money mule recruitment domains 
([9]Standardizing the Money Mule Recruitment 
Process; [10]Keeping Money Mule Recruiters on a 
Short Leash) 



The bogus money mule recruitment companies are 
using identical templates, describing themselves as 
follows: 

11 Welcome to the world of Outsourcing. Never has a 
phenomenon been so all encompassing and empowering like 
outsourcing. Transcending beyond an industry's vertical 
segments, outsourcing has become the "by default" strategy 
for ail profit conscious organizations that struggle to retain 
their winning streak and high profitability. Today's scenario in 
the business world is more competitive than what it was in 
the past. 

There is a growing realization that wisdom lies in 
consolidating the core competency functions and 
outsourcing the supplement. We are an online services 
marketplace in USA and Australia. Our goal is to empower 
businesses with the absolute freedom to choose where to 
outsource their business needs to maximize their 
competitive advantage. We believe that "money saved due 
to outsourcing can be effectively and successfully utilized to 
focus more on strategic and core businesses functions". 

Let's expose the domains portfolio, its supporting name 
servers, and emphasize on the scareware and crime- 

ware activity currently taking place at AS34305, 
EUROACCESS Global Autonomous System. 
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Active money mule recruitment domains: 

augment-group.com - 85.12.46.245 - Email: 
mylar@5mx.ru 

augmentgroup.net - 85.12.46.245 - Email: 
glean@fastermail.ru 

augment-groupmain.tw - 85.12.46.245 - Email: 
gutsy@qx8.ru 

amplitude-groupmain.net - 85.12.46.245 - Email: 
tabs@5mx.ru 






asperitygroup.net - 85.12.46.241 - Email: 
cde@freenetbox.ru 

asperity-group.com - 85.12.46.244 - Email: okay@qx8.ru 

alwyn-groupllc.com - Email: cde@freenetbox.ru 

altitude-groupli.com - 85.12.46.244 - Email: 
mylar@5mx.ru 

celeritygroupmain.tw - 85.12.46.242 - Email: 
gutsy@qx8.ru 

celerity-groupmain.net - 85.12.46.243 - 
cde@freenetbox.ru 

celerity-groupmain.tw - 85.12.46.241 - Email: 
weds@fastermail.ru 

impact-groupinc.net - 85.12.46.242 - Email: 
cde@freenetbox.ru 

impact-groupnet.com - 85.12.46.243 - Email: 
okay@qx8.ru 

excel-groupsvc.com - 85.12.46.241 - Email: carlo@qx8.ru 
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Augment Group I 



How site works? 

1 Post and track your vacancies. RFPs and projects 
2. Find affordable freelancers or full-time staff 
3 Get work done below budget and make profit 



About the Company 
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fecunda-group.com - 85.12.46.241 - Email: okay@qx8.ru 

fecunda-groupmain.net - 85.12.46.243 - Email: 
mylar@5mx.ru 

fecunda-groupmain.tw - 85.12.46.245 - Email: 
ti@fastermail.ru 


foreaim-group.com - 85.12.46.245 - Email: 
cde@freenetbox.ru 


foreaimgroup.net - 85.12.46.241 - Email: 
glean@fastermail.ru 









golden-gateinc.com - 85.12.46.242 - Email: 
cde@freenetbox.ru 

golden-gateco.net - 85.12.46.242 - Email: carlo@qx8.ru 
luxor-groupco.tw - 85.12.46.244 - Email: logic@qx8.ru 
luxor-groupinc.tw - 85.12.46.244 - Email: gv@fastermail.ru 
synapse-groupinc.tw - 85.12.46.241 - Email: omega@ 
fastermail.ru 

synapse-groupfine.net - 85.12.46.245 - Email: 
okay@qx8.ru 

synapsegroupli.com - 85.12.46.243 - Email: tabs@5mx.ru 

spark-groupsvc.com - Email: trim@freenetbox.ru 

tnmgroupsvc.net - 85.12.46.245 - Email: tabs@5mx.ru 

tnmgroupinc.com - 85.12.46.241 - Email: tabs@5mx.ru 

westendgroupsvc.net - 85.12.46.241 - Email: 
mylar@5mx.ru 
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5 Impact Group Inc 


How site works? 

1. Post and track your vacancies, RF 
3. Get work done below budget and make profit 
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Name servers: 

nsl.maninwhite.ee - 89.248.166.45 - Email: 
duly@fastermail.ru 

nsl.trythisok.cn - 89.248.166.45 - Email: chunk@qx8.ru 

nsl.translatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru 

nsl.alwaysexit.com - 92.63.111.146 - Email: 
sob@bigmailbox.ru 

nsl.ehinegrowth.ee - 89.248.166.59 - Email: 
duly@fastermail.ru 




ns2.cnnandpizza.cc - 205.234.195.188 - Email: 
bears@fastermail.ru 

nsl.benjenkinss.cn - 89.248.166.59 - Email: 
chunk@qx8.ru 

nsl.worldslava.ee - 64.85.174.145 - Email: 
fussy@bigmailbox.ru 

ns2.uleaveit.com - 204.12.217.253 - Email: plea@qx8.ru 

ns3.pesenlife.net - 74.118.194.86 - Email: erupt@qx8.ru 

nsl.basilkey.ws - 98.158.171.87 

Next to the money mule recruitment domains, there are 
several [ll]active Zeus crimeware active campaigns, 

using the following domains/IPs. In fact one of them is using 
a domain registered to Hilary Kneber ([12]The Kneber 
botnet - FAQ): 

[13] greatuk.org - 193.104.22.100 - Email: 
hilarykneber@yahoo.com 

[14] greatan.cn - 193.104.22.100 - Email: AlehnoLopu 
_@yahoo.com 

[15] 193.104.22.71 

[16] 193.104.22.90 
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What are we missing? 

Naturally, that's the scareware monetization element. 



Let's expose one of the cur¬ 
rently active scareware domain portfolios there. 

Domains responding to 193.104.22.50 - AS34305, 
EUROACCESS Global Autonomous System: 

2009antispyware.net - Email: admin@web- 
antispyware.com 

againstspyware.com - Email: admin@antiviruscenter.net 

antispycenterprof.com - Email: 
admin@antispycenterprof.com 

anti-spyware-2010.net - Email: 
admin@antiviruscenter.net 

antispyware24x7.com - Email: 
admin@antispyware24x7.com 

antispywareglobal.com - Email: 
admin@antiviruscenter.net 

antispywareonline.net - Email: admin@antiviruscenter.net 

antispywaresnet.com - Email: 
admin@antispywaresnet.com 

antispywarets.com - Email: admin@antispywarets.com 

antispywareweb.net - Email: admin@antiviruscenter.net 

antispyworidwideint.com - Email: 
admin@antispyworldwideint.com 

antiviruscenter.net - Email: admin@antiviruscenter.net 



antivirusexpert.net - Email: admin@antiviruscenter.net 

antivirus-live.net - Email: admin@antiviruscenter.net 

antiviruslivepro.com - Email: admin@antiviruscenter.net 

antiviruslive-pro.com - Email: admin@antiviruscenter.net 

antivirus-service.net - Email: admin@antiviruscenter.net 

antivirustop.net - Email: admin@antiviruscenter.net 

bestantispysoft2010.com - Email: 
admin@bestantispysoft2010.com 
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eliminater2009pro.com - Email: 
admin@eliminater2009pro.com 

itsafetyonline.com - Email: admin@itsafetyonline.com 

ivirusidentify.com - Email: admin@ivirusidentify.com 

myprivatesoft2009.com - Email: 
admin@myprivatesoft2009.com 




netantivirus.net - Email: admin@antiviruscenter.net 

onlineantispysoft.com - Email: 
admin@onlineantispysoft.com 

pcdoctorz2010.com - Email: admin@pcdoctorz2010.com 

pcprotect2010.com - Email: admin@pcprotect2010.com 

pcsafety2009pro.com - Email: 
admin@pcsafety2009pro.com 

protection2010.com - Email: 
admin@pcsafety2009pro.com 

protectorservice.com - Email: admin@antiviruscenter.net 
superantivirus.net - Email: admin@antiviruscenter.net 
systemprotector.net - Email: admin@antiviruscenter.net 
total-defender.com - Email: admin@total-defender.com 
virusdetect24.com - Email: admin@antiviruscenter.net 
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virusremoveonline.com - Email: 
admin@antiviruscenter.net 

worldantispywarel.com - Email: 
admin@worldantispywarel.com 

worldprotection.net - Email: admin@antiviruscenter.net 

EUROACCESS has been notified, the post will be updated 
once/if they take care of the "customers" violating their 
Terms of Service. 



Related coverage of money laundering in the context 
of cybercrime: 

[17] Money Mule Recruiters on Yahool's Web Hosting 

[18] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[20] Keeping Reshipping Mule Recruiters on a Short Leash 

[21] Keeping Money Mule Recruiters on a Short Leash 

[22] Standardizing the Money Mule Recruitment Process 

[23] lnside a Money Laundering Group's Spamming 
Operations 

[24] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[25] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [26]Dancho Danchev's 
blog. Follow him [27Jon Twitter. 

1. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 

2. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 

3. http://ddanchev.blo as pot.com/2009/12/koobface- a an a- 
wishes-industrv-ha pp v.html 















4. https://zeustracker.abuse.ch/monitor. php? 
host= g reatuk.or g 

5. http://blo g s.zdnet.com/securit v/? p = 5508 

6. http://blo g s.zdnet.com/securit v/? p = 5508 

7. http://ddanchev.blo os pot.com/20Q9/12/celebritv-themed- 
scareware-camoai g n Q7.html 

8. http://ddanchev.blo os pot.com/20Q9/ll/koobface-botnet- 
starts-servin g -client.html 

9. http://ddanchev.blo os pot.com/20Q9/10/standardizin o- 
monev-mule-recruitment.html 

10. http://ddanchev.blo gs pot.com/2009/ll/keepin g -mone v- 
mule-recruiters-on-short.html 


11. https://zeustracker.abuse.ch/monitor. ph p?as=34305 

12. http://blo g s.zdnet.com/securit v/? p=5508 

13. https://zeustracker.abuse.ch/monitor. php? 
host= g reatuk.or g 

14. https://zeustracker.abuse.ch/monitor. php? 
host= g reatan.cn 

15. https://zeustracker.abuse.ch/monitor. php? 
host=193.104.22.71 


16. https://zeustracker.abuse.ch/monitor. php? 
host=193.104.22.90 


17. http://ddanchev.blo os pot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 
















































18. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 


19. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


20. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

21. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


22. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

23. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-soammin a .html 

24. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

25. http://ddanchev.blo as pot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

26. http://ddanchev.blo as pot.com/ 

27. http://twitter.com/danchodanchev 
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GazTransitStroy/GazTranZitStroy: 

From Scareware to Zeus Crimeware and Client-Side 
Exploits 


(2010-03-24 00:22) 











































Remember 2009's GazTransitStroy/GazTranZitStroy LLC, 
[1]AS29371? 

The fake Russian gas company whose motto was " In gaz we 
trust'? It appears that in order to stay competitive within the 
cybercrime ecosystem, they are now diversifying their 
offerings from hosting scareware domains 

and redirectors, to [2]active Zeus crimeware campaigns, next 
to client-side exploits serving campaigns used as the 
infection vector. 

• Go through previous posts detailing their activities: 

[3]GazTranzitStroylnfo - a Fake Russian Gas Company 
Facilitating Cybercrime; [4]GazTransitStroy/GazTranZitStroy 
Rubbing Shoulders with Petersburg Internet Network 

LLC 
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From last's week's active Zeus C &Cs: 

houstonhotelreal.com - 91.212.41.88 - Email: 
admin@houstonhotelreal.com 

doctormiler.com - 91.212.41.14 - Email: 
cheburaskogro@yahoo.com 

pipiskin.hk - 91.212.41.40 - Email: admin@pipiskin.hk 

lopokerasandco.hk - 91.212.41.89 - Email: 
admin@lopokerasandco.hk 

aervrfhu.ru - 91.212.41.88/109.196.143.60 - Email: samm 
_87@email.com 


updateinfo22.com - 91.212.41.60/193.148.47.60 - Email: 
moonbeam@konocti.net 

tumasolt.com - 91.212.41.123 - Email: stuns@5mx.ru 

91.212.41.80 

91.212.41.79 

91.212.41.78 

To this week's active Zeus campaigns: 

cpadm21.cn - 91.212.41.31 - Email: Dalas 
_lllarionov@yahooo.com 

doctormiler.com - 91.212.41.14 - Email: 
cheburaskogro@yahoo.com 

91.212.41.80 

91.212.41.79 
91.212.41.78 
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GazTransitStroy is still in operation, acting as route for 
malicious activity, in the very same way it was interacting 
with other cyber-crime friendly ASs (EUROHOST- 
NET/Eurohost LLC) during 2009. Let's take a quick 
snapshot of malicious activity currently taking place at 
AS29371. 

Detection rate for the Zeus crimeware phoning back 
to GazTransitStroy/GazTranZitStroy: 


- [5]Trojan.Zbot - Result: 8/41 (19.52 %) 



- [6]TR0J KRAP.SMDA - Result: 5/42 (11.91 %) 

- [7]Packed.Win32.Krap.ae - Result: 10/42 (23.81 %) 

Client-side exploits [8](Spammer:Win32/Tedroo.AB; 
Win32:FakeAlert-JJ - Result: 31/42 (73.81 %) serving 
do¬ 
mains/admin panels parked at 91.212.41.87: 
hvcvjxcc.cn - Email: wang9619@163.com 
fyyxqftc.cn - Email: wang9619@163.com 
qymgeejd.cn - Email: wang9619@163.com 
gjjdrgqf.cn - Email: wang9619@163.com 
gdttjkug.cn - Email: wang9619@163.com 
pgcnbgkk.cn - Email: wang9619@163.com 
xvrlomwk.cn - Email: wang9619@163.com 
bfhqrmtm.cn - Email: wang9619@163.com 
cfssixsn.cn - Email: wang9619@163.com 
vxoyqgcp.cn - Email: wang9619@163.com 
hjwbxhqr.cn - Email: wang9619@163.com 
frrszqot.cn - Email: wang9619@163.com 
axaldjqt.cn - Email: wang9619@163.com 
aafoocgv.cn - Email: wang9619@163.com 
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It's worth pointing out that fact that in February, a 
much more extensive portfolio of domains was 
parked on 195.88.190.30, with a small part of them, 
now responding to GazTransitStroy/GazTranZitStroy 
AS: 

arufeudv.cn - Email: wang9619@163.com 
axaldjqt.cn - Email: wang9619@163.com 
bbivbblr.cn - Email: wang9619@163.com 
cfssixsn.cn - Email: wang9619@163.com 
dcueqzke.cn - Email: wang9619@163.com 
drghzeap.cn - Email: wang9619@163.com 
fqfmyvii.cn - Email: wang9619@163.com 
gjjdrgqf.cn - Email: wang9619@163.com 
gokzlykr.cn - Email: wang9619@163.com 
gwsdwxae.cn - Email: wang9619@163.com 
icnzlxyo.cn - Email: wang9619@163.com 
inkqoevl.cn - Email: wang9619@163.com 
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izhdjcsu.cn - Email: wang9619@163.com 
lsggdniu.cn - Email: wang9619@163.com 


maaltsxg.cn - Email: wang9619@163.com 

mdftfxek.cn - Email: wang9619@163.com 

ntvftguu.cn - Email: wang9619@163.com 

pgcnbgkk.cn - Email: wang9619@163.com 

rbpwnrss.cn - Email: wang9619@163.com 

rzwdcsey.cn - Email: wang9619@163.com 

urybtnfb.cn - Email: wang9619@163.com 

uzfbhofi.cn - Email: wang9619@163.com 

vnvxltpr.cn - Email: wang9619@163.com 

vordquyo.cn - Email: wang9619@163.com 

xvrlomwk.cn - Email: wang9619@163.com 

ycgezkpu.cn - Email: wang9619@163.com 

ykcdffei.cn - Email: wang9619@163.com 

yvuxksuk.cn - Email: wang9619@163.com 

zdzhecim.cn - Email: wang9619@163.com 

Fake codecs serving domains parked at 91.212.41.88: 

real-time-tube.com - Email: admin@free-new-sex- 
video.com 

myusmailservice.com 

video-chronicle.com - Email: neujelivsamomdeli@safe- 
mail.net 
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yahoo-movies-online.com - Email: admin@yahoo-movies- 
online.com 

houstonhoteireal.com - Email: 
admin@houstonhotelreal.com 

sex-tapes-celebs.com - Email: wnscandals@gmail.com 

evertrands.com - Email: moldavimo@safe-mail.net 

myusmailservices.com - Email: 
admin@myusmailservices.com 

xplacex.com - Email: i.jahmurphy@gmail.com 

xsebay.com - Email: admin@xsebay.com 

exsebay.com - Email: admin@exsebay.com 

video-info.info - Email: videinfo@gmail.com 

partner777.net - Email: potenciallio@safe-mail.net 

video-trailers.net - Email: fullhdvid@gmail.com 

primusdns.ru - Email: samm _87@email.com 

aervrfhu.ru - Email: samm_87@email.com 

Sample redirection takes place through the following 
sampled domain: 

- yahoo-movies-online.com/ iframe7.php 

- real-web-tube.com/ xplay.php?id=40018 - 

59.53.91.124 



- multimediasupersite.com/ video-plugin.40018.exe - 

62.212.66.93 

Serving video-plugin.40018.exe - 

[9]W32/FakeAlert.FT.gen! El dorado - Result: 10/42 (23.81 %), 
which phones back to: 

yourartmuseum.com/fakbwq.php?q=RANDOM - 

66.96.219.38 - Email: davidearhart@rocketmail.com 

rareartonline.com - 64.191.44.73 - Email: 
fellows@nonpartisan.com 

sportscararts.com - 209.159.146.234 - Email: 
cdaniels@pennsylvania.usa.com 

expressautoarts.com - 69.10.35.253 - Email: 
cdaniels@pennsylvania.usa.com 

zenovy.com/resolution.php - 66.96.222.198 

bokwer.com/borders.php - 64.120.144.119 

Domains hosting the fake codec plugin are parked at 
62.212.66.93: 

bestinternetmedia.com - Email: shoemaker@angelic.com 

supermediaworld.com - Email: shoemaker@angelic.com 

hottrackdvd.com - Email: bailey@theplate.com 

multimediatoolguide.com - Email: 
severson@therange.com 

thebettermovie.com - Email: bailey@theplate.com 
movietoolonline.com - Email: severson@therange.com 



movietoolvideo.com - Email: shann@techie.com 

movielocationinfo.com - Email: maldonado@toke.com 

bestmultimediademo.com - Email: 
mcchristian@ymail.com 

dvddatacenter.com - Email: maldonado@toke.com 

videotooldirect.com - Email: shann@techie.com 

In gaz they trust, cybercriminals I don't trust. 

This post has been reproduced from [lOJDancho Danchev's 
blog. Follow him [lljon Twitter. 
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11. http://twitter.com/danchodanchev 
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Zeus Crimeware/Client-Side Exploits Serving 
Campaign in the Wild (2010-03-24 20:29) 

[1] 

UPDATED: Friday, March 26, 2010: In a typical multi¬ 
tasking fashion like the one we've seen in previous 
















campaigns, more typosquatted domains are being 
introduced, this time using the [2]well known IRS Fraud 
Application theme. 

What's worth pointing out is that, just like the M [3] 

Sea re ware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild" campaign from last week, the current 
one is also launched on Friday. 

The reason? A pointless attempt by the gang to increase the 
lifecycle of the campaign. 
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- Sample URL: irs.gov.faodqt.com.pl 

/fraud.applications/application/statement, php 

- Client-side exploits serving iFrame URL: 

klgs.trfafsegh.com /index.php 

- Sample detection rate: tax-statement.exe - [4]Trojan- 
Spy.Win32.Zbot - Result: 29/42 (69.05 %), phones back to 

[5jshopinfmaster .com/cnf/shopinf.jpg 
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Spamvertised and currently active fast-fluxed domains 
include: 


fercca.com.pl 

fercci.com.pl 

ferkci.com.pl 


fercki.com.pl 

foodat.com.pl 

foocit.com.pl 

forcit.com.pl 

footit.com.pl 

ferckt.com.pl 

forckt.com.pl 

foodot.com.pl 

footot.com.pl 

faodqt.com.pl 
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foodyt.com.pl 

redee3e.com 

redee3e.com.pl 

redee3e.pl 

redee3o.com.pl 

eddpiii.com.pl 

eddsiii.com.pl 

eddsiip.com.pl 


eddsiui.com.pl 

eddsiuo.com.pl 

eddsiuy.com.pl 

edduiip.com.pl 
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edduiiz.com.pl 

edduyiz.com.pl 

edouyiz.com.pl 

ekouyiz.com.pl 

Name server of notice: 

nsl.globalistory.net - 87.117.245.9 - Email: 
tompsongand@aol.com 

One of [6]TR0YAK-AS's most aggressive customers (used to 
host their Zeus C &Cs there) for Ql, 2010, is once again ( 
latest campaign is from March 12th 2010 - [7]Scareware, 
Sinowal, Client-Side Exploits Serving Spam Campaign in the 
Wild) attempting to build a crimeware botnet, by 
spamvertising the [8]well known PhotoArchive theme, in 
between serving client-side exploits using an embedded 
iFrame on the domains in question. 

[9] 

In terms of quality assurance, the campaign is continuing to 
use it's proven campaign structure. The actual pages are 


hosting a binary for manual download, in between the iFrame 
which would inevitably drop the Zeus crimeware. 

Just like in previous campaigns, the gang continues to 
exclusively [lOJregistering its domains using the ALANTRON 

BLTD. domain registrar. Let's dissect the ongoing campaign's 
structure, and expose the domains, and ASs participating in 
it. 

Sample URL/subdomain structure: 

archive.pasweq.co.kr /idl007zx/get.php? 
emai I = emai l@mail.com 

photostock, pasweq.co. kr 

archives.pasweq.co.kr 

letitbit.pasweq.co.kr 

photobank.pasweq.co.kr 

photosbank.pasweq.co.kr 

photostock, pasweq.co. kr 

Sample message: 11 Photos Archives Hosting has a zero- 
tolerance policy against ILLEGAL content. AH archives 1159 


£ 


and links are provided by 3rd parties. We have no control 
over the content of these pages. We take no responsibility 
for the content on any website which we link to, please use 
your own discretion while surfing the links. © 2007-2009, 
Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED. 


[ 11 ] 

Sample iFrames embedded on the pages include: 
cogs.trfafsegh.com /index.php - 59.53.91.192 - Email: 
maple@qx8.ru; klgs.trfafsegh.com /index.php 
Sample iFrame campaign structure: 

- cogs.trfafsegh.com /index.php 

- cogs.trfafsegh.com /I.php 

- cogs.trfafsegh.com /statistics.php 

- klgs.trfafsegh.com /index.php 

- klgs.trfafsegh.com /I.php 

- klgs.trfafsegh.com /statistics.php 
[ 12 ] 
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Parked on the same IP where the iFrame domain is are also 
the following Zeus C &Cs - dogfoog.net - Email: 

drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - 
[13]AS4134 (CHINANET-BACKBONE No.31 Jin-rong Street) 

Detection rates: zeus.js - [14]Trojan.JS.Agent.bik - 1/41 (2.44 
%) serving update.exe - [15]PWS:Win32/Zbot.gen!R - 

Result: 17/42 (40.48 %), PhotoArchive.exe - [16]Trojan.Zbot - 
Result: 18/41 (43.91 %). The client-side exploitation is 


relying on the Phoenix Exploit's Kit. 

Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 
78.2.153.153; 75.172.92.77; 78.84.78.179; 

86.106.228.77; 

184.56.245.136; 

68.49.19.6 - Email: Duran@example.com shopinfmaster.com 
/shopinf/gate.php 

Relying on the nsl.starwarfan.net name server, which is also 
connected to other Zeus crimeware C &Cs which 

also respond the same IPs - smotril23.com - Email: smot- 
smot@yandex.ru domainsupp.net - Email: ErnestJ- 
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Booth@example.com [17] 

Active and fast-fluxed subdomains+domains participating in 
the campaign: 

pasweokz.com - Email: romavesela@yahoo.com 

pasweq.co.kr- Email: romavesela@yahoo.com 

archive.pasweokz.com 

archive, pasweq.co.kr 

archives.pasweokz.com 

archives, pasweq.co.kr 
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letitbit.pasweokz.com 

letitbit.pasweq.co.kr 

photobank.pasweokz.com 

photobank.pasweq.co.kr 

photosbank.pasweokz.com 

photosbank.pasweq.co.kr 

photoshock.pasweokz.com 

photoshock.pasweq.co. kr 

photostock.pasweokz.com 

photostock, pasweq.co. kr 

Name servers currently in use were also seen in February, 
2010 ([18]IRS/PhotoArchive Themed Zeus/Client- 

Side Exploits Serving Campaign in the Wild) 

nsl.addressway.net - 87.117.192.79 - Email: 
pool bi I l@hotmail.com 

nsl.skc-realty.com - 87.117.192.79 - Email: skc@realty.net 

Updates will be posted as soon as new developments 
emerge. Consider going through the related posts, to 

catch up with the gang's activities for Ql, 2010. 

Related posts: 



[19] Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[20] TROYAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[21] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 

[22] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[23] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[24] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[25] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[26] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

This post has been reproduced from [27]Dancho Danchev's 
blog. Follow him [28Jon Twitter. 
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Copyright Lawsuit Filed Against You Themed Malware 
Campaign (2010-03-29 17:42) 

Having just received a copy of what appears to be the last 
active domain involved in last week's "[ljCopyright Lawsuit 
filed against you" themed [2]malware campaign, it's time to 
conduct a brief assessment of its inner workings. 

Subject used: Copyright Lawsuit filed against you 

Sample message: March 24, 2010 






























Crosby & Higgins 
350 Broadway, Suite 300 
New York, NY 10013 
To Whom It May Concern: 

On the link bellow is a copy of the lawsuit that we filed 
against you in court on March 11, 2010. Currently the Pretrail 
Conference is scheduled for April 11th, 2010 at 10:30 A.M. in 
courtroom #36. The case number is 3485934. 

The reason the lawsuit was filed was due to a completely 
inadequate response from your company for copyright 
infrigement that our client Touchstone Advisories Inc is a 
victim of Copyright infrigement 

www.touchstoneadvisorsonline.com /la wsuit/suit 
_documents.doc 

Touchstone Advisories Inc has proof of multiple Copyright 
Law violations that they wish to present in court on April 
11th, 2010. 

Sincerely, 

Mark R. Crosby 

Crosby & Higgins LLP 

Detection rates: 

- complaint.doc - [3]Downloader.Lapurd - Result: 22/39 
(56.42 %) 

- complaint _docs.pdf - [4]Trojan-Clicker.Win32.Cycler.odn - 
Result: 27/42 (64.29 %) 



Samples phone back to: 


- 121.14.149.132 /fwq/indux.php?U = RANDOM DATA - 

AS4134, CHINA-TELECOM China Telecom 

- 121.14.149.132 /hia 12/ter.php?u=UserName 
&c=COMPUTERNAME &v=RANDOM DATA 
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Active C &C administration panel at: 121.14.149.132 
/hial2/sca.php - returns M SSL ONLY. USE HTTPS" 

Spamvertised domains involved in the campaign: 

- touchstoneadvisorsonline.com /lawsuit/suit 
_documents.doc - 72.167.232.84 

- marcuslawcenter.com /s/r439875.doc - 173.201.145.1 

- Email: info@tedvernon.com 

- danilison.com/suit /complaint.doc - 72.167.183.15 

- daughtersofcolumbus.com /suit/complaint.doc - 
ACTIVE - 173.201.97.1 - Email: charlenej@stny.rr.com 

The same phone back IP was also profiled in [5]another 
campaign from January, 2010. 

Clearly, the cybercriminals behind it are aiming to stay 
beneath the radar, by relying on not so well profiled 

malicious infrastructure, combined with newly introduced 
campaigns in an attempt to make it harder to establish 
historical connections (Read about the [6]"aggregate- 
and-forget" concept in respect to botnets/malware) 

between the rest of the their malicious activities. 



This post has been reproduced from [7]Dancho Danchev's 
blog. Follow him [8Jon Twitter. 
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Money Mule Recruitment Campaign Serving Client- 
Side Exploits (2010-03-30 18:51) ” 





























Remember [l]Cefin Consulting & Finance, the bogus, 
money mule recruitment company that ironically tried to 
recruit me last month? 

They are back, with a currently ongoing money mule 
recruitment campaign, this time not just attempting to 

recruit gullible users, but also, serving client-side exploits 
( [2JCVE-2009-1492 ; [3JCVE-2007-5659 ) through an 
embedded javascript on each and every page within the 
recruitment site. 
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Let's dissect the campaign, expose the client-side exploits 
serving domains, the Zeus-crimeware serving domains 
parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for 

furniture hosting a pretty descriptive cv.exe that is dropped 
on the infected host. 

Initial recruitment email sent from 
financialcefi n@aol.com: 

Hello, Our Company is ready to offer full and part time job in 
your region. It is possible to apply for a well-paid part time 
job from your state. More information regarding working and 
cooperation opportunities will be sent upon request. Please 
send ail further correspondence ONLY to Company's email 
address: james.mynes.cf@gmail.com Best regards 

Response received: 

Greetings, 


Cefin Consulting & Finanace company thanks you for being 
interested in our offer. AH additional information about our 
company you may read at our official site. 
www.ceffincfin.com Below the details of vacancy 
operational scheme: 

1. The payment notice and the details of the beneficiary for 
further payment transfer will be e-mailed to your box. All 
necessary instructions regarding the payment will be 
enclosed. 

2. As a next step, you'll have to withdraw cash from our 
account. 

3. Afterwards you shall find the nearest Western Union office 
and make a transfer. Important: Only your first and last 
names shall be mentioned in the Western Union Form! No 
middle name (patronymic) is written! Please check carefully 
the spelling of the name, as it has to correspond to the 
spelling in the Notice. 

4. Go back home soonest possible and advise our operator 
on the payment details (Sender's Name, City, Country, MTCN 
(Money Transfer Control Number), Transfer Amount). 

5. Our operator will receive the money and send it to the 
customer. 

6. Please be ready to accept and to make similar transfers 2- 
5 times a week or even more often. Therefore you have to be 
on alert to make a Western Union payment any time. 
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Should you face any problems incurred in the working 
process, don't hesitate to contact our operator immediately. 


If you have any questions, please do not hesitate to contact 
us by e-mail. If you have understood the meaning of work 
and ready to begin working with us, please send us your 
INFO in the following format: 

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) 
Home Phone number, Work Phone number, Mo¬ 
bile Phone number 7) Bank account info: a) Bank name b) 
Account name c) Account number d) Sort code 8) Scan you 
passport or driver license 

2010 © Cefin Consulting & Finance 
AH right reserved. 

Money mule recruitment URL: ceffincfin.com - 
93.186.127.252 - Email: winter343@hotmail.com - 
[4]currently 1169 




flagged as malicious. 

Once obfuscated, the javascript attempts to load the client- 
side exploits serving URL click-clicker.com /click/in.cgi?3 

- 195.78.109.3; 195.78.108.221 - Email: 
aniwaylin@yahoo.com, orclick-clicker.com - 195.78.109.3 - 
Email: aniwaylin@yahoo.com. 

Sample campaign structure: 

- click-clicke.com /cgi- 

bin/plt/n006106203302 r0009R81fc905cX409b 
2ddfY0a607663Z0100f055 


Parked on the same IP (91.213.174.52) are also the following 
client-side exploit serving domains: 

click-reklama.com - Email: tahli@yahoo.com 

googleinru.in - Email: mirikas@gmail.com 

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy 
Vladimirovich, we also have the following client-side 
exploits/crimeware friendly domains: 

benlsdenc.com - Email: blablaman25@gmail.com 

nermdusa.com - Email: polakurt69@gmail.com 

mennlyndy.com - Email: albertxxl@gmail.com 

kemilsy.com - Email: VsadlusGruziuk@gmail.com 

benuoska.com - Email: godlikesme44@gmail.com 
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Name server of notice nsl.ginserdy.com - 93.186.127.205 

- Email: albertxxl@gmail.com and nsl.ndnsgw.net - 

195.78.109.3 - Email: aniwaylin@yahoo.com. have been also 
registered using the same emails as the original 

client-side exploit serving domains. 

Sample detection rates, and phone back locations: 

- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 

- clicker.pdf - [ 6 ] 


Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 

- Result: 21/42 (50.00 %) 

- clicker2.exe - [7]TR/Sasfis.akdv.l; Trojan.Sasfis.akdv.l; 
Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86 %) 

- cv.exe - [8]Trojan.Siggenl.15304 - Result: 3/42 (7.15 %) 

- l.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 
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Upon execution, the sample phones back to Oficla/Sasfis C 

&C at socksbot.com /isb/gate.php? 
magic = 121412150001 

&ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: 
aniwaylin@yahoo.com which drops 
pozitiv.md/master/cv.exe - 217.26.147.24 - Email: 
v.pozitiv@mail.ru from the web site of a fake company for 
furniture (PoZITIVe SRL). 

Interestingly, today the update location has been changed to 

tds-style.spb.ru /error/1.exe. Detection rate: 

- l.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 

Keeping the money mules on a short leash series, are prone 
to expand. Stay tuned! 

Related coverage of money laundering in the context 
of cybercrime: 


[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 
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[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 
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Money Mule Recruitment Campaign Serving Client- 
Side Exploits (2010-03-30 18:51) 

Remember [l]Cefin Consulting & Finance, the bogus, 
money mule recruitment company that ironically tried to 
recruit me last month? 

They are back, with a currently ongoing money mule 
recruitment campaign, this time not just attempting to 

recruit gullible users, but also, serving client-side exploits 
( [2JCVE-2009-1492 ; [3JCVE-2007-5659 ) through an 
embedded javascript on each and every page within the 
recruitment site. 
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Let's dissect the campaign, expose the client-side exploits 
serving domains, the Zeus-crimeware serving domains 
parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for 

furniture hosting a pretty descriptive cv.exe that is dropped 
on the infected host. 

Initial recruitment email sent from 
financialcefin@aol.com: 

Hello, Our Company is ready to offer full and part time job in 
your region. It is possible to apply for a well-paid part time 
job from your state. More information regarding working and 



cooperation opportunities will be sent upon request. Please 
send all further correspondence ONLY to Company's email 
address: james.mynes.cf@gmail.com Best regards 

Response received: 

Greetings, 

Cefln Consulting & Finanace company thanks you for being 
interested in our offer. AH additional information about our 
company you may read at our official site. 
www.ceffincfin.com Below the details of vacancy 
operational scheme: 

1. The payment notice and the details of the beneficiary for 
further payment transfer will be e-mailed to your box. All 
necessary instructions regarding the payment will be 
enclosed. 

2. As a next step, you'll have to withdraw cash from our 
account. 

3. Afterwards you shall find the nearest Western Union office 
and make a transfer. Important: Only your first and last 
names shall be mentioned in the Western Union Form! No 
middle name (patronymic) is written! Please check carefully 
the spelling of the name, as it has to correspond to the 
spelling in the Notice. 

4. Go back home soonest possible and advise our operator 
on the payment details (Sender's Name, City, Country, MTCN 
(Money Transfer Control Number), Transfer Amount). 

5. Our operator will receive the money and send it to the 
customer. 



6. Please be ready to accept and to make similar transfers 2- 
5 times a week or even more often. Therefore you have to be 
on alert to make a Western Union payment any time. 
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Should you face any problems incurred in the working 
process, don't hesitate to contact our operator immediately, 
if you have any questions, please do not hesitate to contact 
us by e-mail. If you have understood the meaning of work 
and ready to begin working with us, please send us your 
INFO in the following format: 

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) 
Home Phone number, Work Phone number, Mo¬ 
bile Phone number 7) Bank account info: a) Bank name b) 
Account name c) Account number d) Sort code 8) Scan you 
passport or driver license 

2010 © Cefin Consulting & Finance 
AH right reserved. 

Money mule recruitment URL: ceffincfin.com - 
93.186.127.252 - Email: winter343@hotmail.com - 
[4]currently 1176 
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flagged as malicious. 

Once obfuscated, the javascript attempts to load the client- 
side exploits serving URL click-clicker.com /click/in.cgi?3 

- 195.78.109.3; 195.78.108.221 - Email: 
aniwaylin@yahoo.com, orclick-clicker.com - 195.78.109.3 - 


Email: aniwaylin@yahoo.com. 

Sample campaign structure: 

- click-clicke.com /cgi- 

bin/plt/n006106203302 r0009R81fc905cX409b 
2ddfY0a607663Z0100f055 

Parked on the same IP (91.213.174.52) are also the following 
client-side exploit serving domains: 

click-reklama.com - Email: tahli@yahoo.com 

googleinru.in - Email: mirikas@gmail.com 

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy 
Vladimirovich, we also have the following client-side 
exploits/crimeware friendly domains: 

benlsdenc.com - Email: blablaman25@gmail.com 

nermdusa.com - Email: polakurt69@gmail.com 

mennlyndy.com - Email: albertxxl@gmail.com 

kemilsy.com - Email: VsadlusGruziuk@gmail.com 

benuoska.com - Email: godlikesme44@gmail.com 

1177 




Name server of notice nsl.ginserdy.com - 93.186.127.205 
- Email: albertxxl@gmail.com and nsl.ndnsgw.net - 

195.78.109.3 - Email: aniwaylin@yahoo.com. have been also 
registered using the same emails as the original 


client-side exploit serving domains. 

Sample detection rates, and phone back locations: 

- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 

- clicker.pdf - [ 6 ] 

Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 

- Result: 21/42 (50.00 %) 

- clicker2.exe - [7]TR/Sasfis.akdv.l; Trojan.Sasfis.akdv.l; 
Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86 %) 

- cv.exe - [8]Trojan.Siggenl.15304 - Result: 3/42 (7.15 %) 

- l.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 
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Upon execution, the sample phones back to Oficla/Sasfis C 

&C at socksbot.com /isb/gate.php? 
magic = 121412150001 

&ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: 
aniwaylin@yahoo.com which drops 
pozitiv.md/master/cv.exe - 217.26.147.24 - Email: 
v.pozitiv@mail.ru from the web site of a fake company for 
furniture (PoZITIVe SRL). 

Interestingly, today the update location has been changed to 

tds-style.spb.ru /error/1.exe. Detection rate: 


- l.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 

Keeping the money mules on a short leash series, are prone 
to expand. Stay tuned! 

Related coverage of money laundering in the context 
of cybercrime: 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 
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[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21 JDancho Danchev's 
blog. Follow him [22Jon Twitter. 
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Summarizing Zero Day's Posts for March (2010-04-01 
10:58) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for March, 2010. 

You [2]can also go through [3]previous summaries, as well as 
subscribe to my [4]personal RSS feed, [5]Zero 

Day's main feed, or follow me on Twitter: 

Recommended reading - [6]TROYAK-AS: the cybercrime- 
friendly ISP that just won't go away ; [7]The current state of 
the crimeware threat - Q &A and [8]From Russia with 
(objective) spam stats 















01. [9] Pol ice arrest Mariposa botnet masters, 12M + hosts 
compromised 

02. [10]Vodafone HTC Magic shipped with Conficker, 
Mariposa malware 

03. [ll]Mac OS X SMS ransomware - hype or real threat? + 
[12]Gallery 

04. [13]TR0YAK-AS: the cybercrime-friendly ISP that just 
won't go away 

05. [14]Facebook password reset themed malware campaign 
in the wild 

06. [15]The current state of the crimeware threat - Q &A 
07. [16]From Russia with (objective) spam stats 
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08. [17]Survey: Millions of users open spam emails, click on 
links 

09. [ 18]Trivial security flaw in popular iPhone app leads to 
privacy leak 

10. [19]Report: 64 % of all Microsoft vulnerabilities for 2009 
mitigated by Least Privilege accounts 

This post has been reproduced from [20]Dancho Danchev's 
blog. Follow him [21 Jon Twitter. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Four (2010-04-09 10:54) 

UPDATED: Saturday, April 10, 2010: Some of the mule 
recruitment sites appear to be interested in something else, 
rather than recruiting mules - must be the oversupply of 
people unknowingly participating in the cybercrime 
ecosystem. 

Several of the domains (for instance ortex-gourpinc.tw and 
augmentgroupinc.tw) are not accepting registrations, 
instead, but are attempting to trick the visitor into 
downloading and executing a bogus psychological 
test. 

11 Below is a test prepared by professional psychologists and 
is required in order to be considered a competent candidate 
for the offered position. After successful completion of your 
test, you will be asked to register on our web site, if you are 
not ready to register right away, please wait to take the test 
at a later point. To REGISTER, simply run the test and you will 
be prompted to dick on the "Register Now" button at any 
time and you will be redirected to the login page, without 
having to take the test again. 
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*This test is under development and we are grateful for all 
comments and suggestions." *lf you are having trouble 
running the test and your computer is requesting 
administrative rights, download the test and simply right- 


dick on the Test icon and select "Run As Administrator" from 
the menu. " 

- [ljtestAugmentlnc.exe - Result: 3/38 (7.9 %) - 
Trojan/Win32.Chifrax.gen; Reser.Reputation. 1 

- [2JtestOrtexGroup.exe - Result: 3/39 (7.7 %) - 
Trojan/Win32.Chifrax.gen; Reser.Reputation. 1 

UPDATED: AS34305, EUROACCESS has taken down the IPs 
within their network. The money mule recruiters naturally 
have a contingency plan in place, and have migrated to 
[3JAS38356 - [4JTimeNet (222.35.143.112; 
222.35.143.234; 222.35.143.235; 222.35.143.237) and 
AS21793 GOGAX (76.76.100.2; 76.76.100.4; 
76.76.100.5). 
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Based on the already established patterns of this group, it 
was only a matter of time until they re-introduced yet 
another portfolio of money mule recruitment domains, 
combining them with spamvertised recruitment messages, 

and forum postings. 

Just like their campaign from last month ([5]Keeping 
Money Mule Recruiters on a Short Leash - Part Three) 

the current one is once again interacting exclusively with 
AS34305, EUROACCESS Global Autonomous System, 
including the newly introduced name servers. 

What has changed? It's the [6]migration towards the use 
of fast-flux infrastructure for ZeuS crimeware serv- 


ing campaigns, and in an isolated incident profiled in this 
post, a money mule recruitment campaign that's also sharing 
the same fast-flux infrastructure. Combined with the 
BIZCN.COM, INC. domain registrar's practice of accepting 
domain registrations using example.com emails, next to 
ignoring domain suspension requests - you end up with the 
perfect safe haven for a cybercrime operation. 

In March, 2010, it took EUROACCESS less then 10 minutes to 
undermine their campaigns, including ones re- 
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siding within the AS of a cyber-crime friendly customer 
known as 193.104.22.0/24 KratosRoute. However, it's 
interesting to observe their return to the same ISP, given that 
they were within a much more cybercrime-friendly 
neighborhood once EUROACCESS kicked them out last 
month. 

Although the take down activities from last month may seem 
to have a short-lived effect, now that they're 

not only back, but are once again abusing EUROACCESS, the 
loss of OPSEC (operational security) did happen, just like it 
happened in the wake of the [7]TROYAK-AS takedown. 

Let's dissect the currently ongoing campaign, and emphasize 
on a second money mule recruitment campaign, 

that's not just using a fast-flux infrastructure, but is also 
connected to hi la rykneber@yahoo.com ([8]The Kneber 
botnet - FAQ). 

Spamvertised, and parked domains on 85.12.46.3; 
85.12.46.2; 193.104.106.30 - AS34305, EUROACCESS Global 


Autonomous System are as follows: 
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altitudegroupinc.tw - Email: weds@fastermail.ru 

altitude-groupli.com - Email: mylar@5mx.ru 
altitude-groupmain.tw - Email: gutsy@qx8.ru 
amplitude-groupmain.net - Email: tabs@5mx.ru 
arvina-groupco.tw - Email: hv@qx8.ru 
arvina-groupinc.tw - Email: jerks@5mx.ru 
arvina-groupnet.cc - Email: mat.mat@yahoo.com 
asperity-group.com - Email: okay@qx8.ru 
asperitygroup.net - Email: cde@freenetbox.ru 
asperitygroupinc.tw - Email: ti@fastermail.ru 
asperity-groupmain.tw - Email: gutsy@qx8.ru 
astra-groupnet.tw - Email: logic@qx8.ru 
astra-groupinc.tw - Email: gv@fastermail.ru 
augment-group.com - Email: mylar@5mx.ru 
augmentgroup.net - Email: glean@fastermail.ru 
augmentgroupinc.tw - Email: weds@fastermail.ru 
augment-groupmain.tw - Email: gutsy@qx8.ru 
celerity-groupmain.net - Email: cde@freenetbox.ru 



celerity-groupmain.tw - Email: weds@fastermail.ru 
excel-groupco.tw - Email: thaws@bigmailbox.ru 
excel-groupsvc.com - Email: carlo@qx8.ru 
fincore-groupllc.tw - Email: jerks@5mx.ru 
fecunda-group.com - Email: okay@qx8.ru 
fecundagroupllc.tw - Email: omega@fastermail.ru 
fecunda-groupmain.net - Email: mylar@5mx.ru 
fecunda-groupmain.tw - Email: ti@fastermail.ru 
foreaim-group.com - Email: cde@freenetbox.ru 
foreaimgroup.net - Email: glean@fastermail.ru 
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foreaimgroupinc.tw - Email: gutsy@qx8.ru 
foreaim-groupmain.tw - Email: weds@fastermail.ru 
impact-groupinc.net - Email: cde@freenetbox.ru 
impact-groupnet.com - Email: okay@qx8.ru 
luxor-groupco.tw - Email: logic@qx8.ru 
luxor-groupinc.cc - Email: mat.mat@yahoo.com 
luxor-groupinc.tw - Email: gv@fastermail.ru 
magnet-groupco.tw - Email: gv@fastermail.ru 


magnet-groupinc.cc - Email: mat.mat@yahoo.com 
millennium-groupco.tw - Email: thaws@bigmailbox.ru 
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru 
optimusgroupnet.ee - Email: mat.mat@yahoo.com 
optimus-groupsvc.tw - Email: jerks@5mx.ru 
ortex-gourpinc.tw - Email: clad@bigmailbox.ru 
ortex-groupinc.cc - Email: mat.mat@yahoo.com 
pacer-groupnet.tw - Email: omega@fastermail.ru 
point-groupco.tw - Email: wxy@qx8.ru 
point-groupinc.cc - Email: mat.mat@yahoo.com 
spark-groupco.tw - Email: clad@bigmailbox.ru 
spark-groupsv.tw - Email: clad@bigmailbox.ru 
spark-groupsvc.com - Email: trim@freenetbox.ru 
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synapse-groupfine.net - Email: okay@qx8.ru 
synapse-groupinc.tw - Email: omega@fastermail.ru 
synapsegroupli.com - Email: tabs@5mx.ru 
target-groupine.ee - Email: mat.mat@yahoo.com 
tnm-group.tw - Email: troop@bigmailbox.ru 
tnmgroupinc.com - Email: tabs@5mx.ru 



tnmgroupsvc.net - Email: tabs@5mx.ru 

starlingbusinessgroup.com - 212.150.164.201 - Email: 
tahli@yahoo.com (spamvertised separately from the 
campaign) 

Newly introduced name servers: 

ns3.sandhouse.cc - 74.118.194.82 - Email: 
taunt@freenetbox.ru 

nsl.volcanotime.com (Parked on the same IP is also 

nsl.jockscreamer.net Email: 

free@freenetbox.ru) - 

64.85.174.144 - Email: hs@bigmailbox.ru 

ns2.weathernot.net - (Parked on the same IP is also 
ns2.worldslava.cc Email: fussy@bigmailbox.ru) 
204.12.217.252 

- Email: bowls@5mx.ru 

nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru 

ns2.pesenlife.net - 204.12.217.254 - Email: erupt@qx8.ru 

ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru 

Name servers known from previous campaigns remain active, 
using AS34305: 

nsl.chinegrowth.cc - 92.63.111.196 - Email: 
duly@fastermail.ru 

nsl.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru 



nsl.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru 

nsl.translatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru 

nsl.bizrestroom.ee - 92.63.110.85 - Email: hook@5mx.ru 

ns2.alwaysexit.com - 85.12.46.2 - Email: 
sob@bigmailbox.ru 

ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru 

It's been a while, since I came across a money mule 
recruitment campaign using fast-flux infrastructure 

([9]Money Mule Recruiters use ASProx's Fast Fluxing 
Services) that's also currently being used by domains 
registered using the same emails as the original Hilary 
Kneber campaigns ([10]Celebrity-Themed Scareware 
Campaign Abusing DocStoc) from December, 2009, as 
well as related mule recruitment campaigns ([ll]Dissecting 
an Ongoing Money Mule 

Recruitment Campaign) from February, 2010. 
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Moreover, one of the domains sharing the fast-flux 
infrastructure with the money mule recruitment site as- 

apfinancialgroup.com - Email: 

admin@asapfinancialgroup.com, was also profiled in last 
month's "[12]Zeus Crimeware/Client-Side Exploits 
Serving Campaign in the Wild". 
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The following ZeuS crimeware, client-side exploits service, 
and malware phone back C &C domains, all share the same 
fast-flux infrastructure: 

allaboutcOntrol.cc - Email: HilaryKneber@yahoo.com 

[13] agreement52.com - Email: Davenport@example.com 

[14] smotril23.com - Email: smot-smot@yandex.ru - [ 15]C 
&C profiled last month 

jdhyhl230jh.net - Email: None@aol.com 

[16] mabtion.cn - Email: Michell.Gregory2009@yahoo.com 

[17] wooobo.cn - Email: Michell.Gregory2009@yahoo.com 
[18jmmjl3l45lkjbdb.ru - Email: none@none.com 
[19jdomainsupp.net - Email: ErnestJBooth@example.com 
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first-shockabsorbers.com - Email: ring.redlink@yandex.ru 
this-all-clean.info - Email: ring.redlink@yandex.ru 

f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com 

[20jfinancialdeposit.com - Email: crWright@gmail.com 

connectanalyst.com - Email: Mildred44@gmail.com - NOT 
ACTIVE 

vmnrjiknervir.com - Email: holsauto@live.com - NOT 
ACTIVE 


[21] longtermrelations.com - Email: 
admin@schumachercomeback.com - NOT ACTIVE, 
SUSPENDED 

Name servers of the fast-fluxed domains include: 

nsl.hollwear.com - 87.239.22.240 - Email: 
kymboll@rocketmail.com 

nsl.kentinsert.net - 64.120.135.214 - Email: 
rackmodule@writemail.com 

nsl.dimplemolar.net - 207.126.161.29 - Emaik: 
carruawau@gmail.com 

nsl.megapricelist.net - 66.249.23.63 - Email: 
jobwes@clerk.com 

nsl.bighelpdesk.net - 76.10.203.46 - Email: 
galaxegalaxe@gmail.com 

nsl.linejeans.com - 95.211.86.140 - Email: 
palmatorz@aol.com 

nsl.ceberlin.com - 204.12.210.235 

EUROACCESS have been notified, an updated will be posted 
as soon as they take care of the campaign. 

Related coverage of money laundering in the context 
of cybercrime: 

[22] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[23] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 



[24] Money Mule Recruiters on Yahool's Web Hosting 

[25] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[26] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[27] Keeping Reshipping Mule Recruiters on a Short Leash 

[28] Keeping Money Mule Recruiters on a Short Leash 

[29] Standardizing the Money Mule Recruitment Process 

[30] lnside a Money Laundering Group's Spamming 
Operations 

[31] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[32] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [33]Dancho Danchev's 
blog. Follow him [34]on Twitter. 
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Dissecting Northwestern Bank's Client-Side Exploits 
Serving Site Compromise (2010-04-12 12:03) 

It's one thing to indirectly target a bank's reputation by 
brand-jacking it for phishing or malware servince purposes, 
and entirely another when the front page of the bank 

(NorthWesternBankOnline.com) itself is embedded with 
an iFrame leading to client-side exploits, to ultimately serve 
a copy of [ljBackdoor.DMSpammer. 

• Go through an assessment of a similar incident from 2007 - 

[2]Bank of India Serving Malware 

This is exactly what happened on Friday, with the front page 
of the [3]Northwestern Bank of Orange City and Sheldon, 
Iowa acting as an infection vector. And although the site is 
now clean, the compromise offers some interesting 

insights into the multitasking on behalf of some of the most 
prolific malware spreaders for Ql, 2010. 






















• Go through assessments of their previous 
campaigns: [4]Scareware, Sinowal, Client-Side Exploits 
Serving Spam Campaign in the Wild; [5]AS50215 Troyak-as 
Taken Offline, Zeus C &Cs Drop from 249 to 181; [6]Outlook 

Web Access Themed Spam Campaign Serves Zeus 
Crimeware; [7]Pushdo Serving Crimeware, Client-Side Ex¬ 
ploits and Russian Bride Scams; [8]PhotoArchive 
Crimeware/Client-Side Exploits Serving Campaign in the 
Wild; 

[9]Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild; [10]IRS/PhotoArchive Themed 

Zeus/Client-Side Exploits Serving Campaign in the Wild) 
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How come? The iFrame domain used in the Northwestern 
Bank's campaign, is parked on the very same IP 

(59.53.91.192 - AS4134, CHINA-TELECOM China Telecom) 
that is still active, and was profiled in last month's 
spamvertised "[ll]Zeus Crimeware/Client-Side Exploits 
Serving Campaign in the Wild" campaign. 

The iFrame embedded on the front page of Northwestern 
Bank's web site, mumukafes.net /trf/index.php - 

59.53.91.192 - Email: mated@freemailbox.ru, redirects 
through the following directories, to ultimately attempt to 
serve client-side exploits through the copycat Phoenix 
Exploit Kit web malware exploitation kit: 


- mumukafes.net /trf/index.php - 59.53.91.192 - Email: 
mated@freemailbox.ru 

- sobakozgav.net /index.php - 59.53.91.192 

- sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324 

- sobakozgav.net /l.php?i = 16 

- sobakozgav.net /statistics.php 

Parked on the same IP (59.53.91.192) are also the following 
domains, all of which have been seen serving client-side 
exploits in previous campaigns: 

aaa.fozdegen.com - Email: mated@freemailbox.ru 

bbb.fozdegen.com - Email: mated@freemailbox.ru 

cogs.trfafsegh.com - Email: maple@qx8.ru 
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countrtds.ru - Email: thru@freenetbox.ru 
dogfoog.net - Email: drier@qx8.ru 
eee.fozdegen.com - Email: mated@freemailbox.ru 
fff.sobakozgav.net - Email: mated@freemailbox.ru 
fozdegen.com - Email: mated@freemailbox.ru 
lll.sobakozgav.net - Email: mated@freemailbox.ru 
mumukafes.net - Email: mated@freemailbox.ru 


sobakozgav.net - Email: mated@freemailbox.ru 

trfafsegh.com - Email: maple@qx8.ru 

Moreover, there are also active [12]ZeuS C &Cs on the same 
IP - 59.53.91.192, with the following detection rates for the 
currently active binaries: 

- exel.exe - [13]Trojan/Win32.Zbot.gen; Trojan- 
Spy.Win32.Zbot - Result: 32/38 (84.22 %) 

- exe.exe - [14]Backdoor.DMSpammer - Result: 23/39 (58.97 
%) 

- svhost.exe - [15]Trojan.Win32.Swisyn; 

Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85 %) 

- vot.exe - [16]Trojan.Spy.ZBot.EOR; TSPY ZBOT.SMG - 
Result: 15/38 (39.48 %) 
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Detection rates for the campaign files obtained through 
Northwestern Bank's client-side exploit serving campaign: 

-js.js - [17]Mal/0bfJS-CT; JS/Crypted.CV.gen - Result: 3/39 
(7.7 %) 

- newplayer.pdf - [18]Exploit.PDF-JS.Gen; 
Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42 %) 

- update.exe - [19]Backdoor.DMSpammer - Result: 24/39 
(61.54 %) 


The sampled update.exe phones back to the following 
locations: 



usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, 
AS38356, TimeNet - Email: paulapruynel3@gmail.com 

usrdomainn.net /n2/tuktuk.php 

usrdomainn.net /n2/getemails.php 

usrdomainnertwesar.net /n2/getemails.php 

usrdomainnertwesar.net /n2/checkupdate.txt 

usrdomainnertwesar.net /n2/tuktuk.php 

AS38356, TimeNet is most recently seen in the migration of 
the money mule recruiters 11 [20]Keeping Money Mule 
Recruiters on a Short Leash - Part Four ", with 
tuktuk.php literally translated as herehere.php. 

The site is now clean, however, the iFrame domains and ZeuS 
C &Cs remain active. 

This post has been reproduced from [21 ]Dancho Danchev's 
blog. Follow him [22Jon Twitter. 
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Copyright Violation Alert Themed Ransomware in the 
Wild (2010-04-12 19:51) 

The copyright violation alert themed ransomware campaign ( 

[IjCopyright violation alert ransomware in the wild; 

[2]ICPP Copyright Foundation is Fake ) is not just a 
novel approach for extortion of the highest amount of money 
seen in ransomware variants so far, but also, offers 
interesting clues into the multitasking mentality of the 
cybercriminals whose campaigns have already been profiled. 

The bogus ICPP Foundation (icpp-online.com - 
193.33.114.77 - Email: ovenersbox@yahoo.com) describes it¬ 
self as: 

11 We are a law firm which specialises in assisting intellectual 
property rights holders exploit and enforce their rights 
globally Illegal file sharing costs the creative industries 
billions of pounds every year. The impact of this is huge, 
resulting in job losses, declining profit margins and reduced 
investment in product development. Action needs to be 
taken and we believe a coordinated effort is needed now, 
before irreparable damage is done. 

We have developed effective and unique methods for 
organisations to enforce their intellectual rights. By working 
effectively with forensic IT experts, law firms and anti-pi racy 
organisations, we seek to eliminate the illegal distri-1200 


bution of copyrighted material through our revolutionary 
business model. Whilst many companies offer anti-piracy 
measures, these are often costly and ineffective. Our 
approach is quite the opposite, it generates revenue for 
rights holders and effectively decreases copyright 


infringement in a measurable and sustainable way We offer 
high quality advice and excellent client care by delivering a 
thorough and reliable service. If you are interested in our 
services, please contact us for a no obligation consultation. " 

[3]Responding to the same IP (193.33.114.77) are also: 

green-stat.com - Email: tahii@yahoo.com 

media-magnats.com - Email: tahli@yahoo.com 

Where do we know the tahli@yahoo.com email from? From 

the "[4]The Koobface Gang Wishes the Industry 

"Happy Holidays" where it was used to register Zeus C &Cs 
as well as money mule recruitment domains, from the 

"[5] Money Mule Recruitment Campaign Serving Client- 
Side Exploits" where it was used to register the client-side 
exploit serving mule recruitment site, and most recently 
from "[6]Keeping Money Mule Recruiters on a Short 
Leash 

- Part Four" used in another mule recruitment site 
registration. 

What's particularly interesting about the ransomware 
variant, is the fact that it has been localized to the following 
languages: Czech, Danish, Dutch, English, French, German, 
Italian, Portuguese, Slovak and Spanish, as well as the fact 
that it will attempt to build its torrents list from actual torrent 
files it is able to locate within the victim's hard drive. 

Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 
%) 



- iqmanager.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 
(12.83 %) 

- uninstall.exe - [9]Reser.Reputation.l - Result: 1/39 (2.57 
%) 

Upon execution, the sample phones back to 
91.209.238.2/m5install/774/l (A548671, GROZA-AS 
Cyber Inter¬ 
net Bunker) with the actual affiliate ID " afid=774" found in 
the settings.ini file. Active on the same IP are also related 
phone back directories, from different campaigns" 

91.209.238.2/r2ne winstall/freemen/1 
91.209.238.2/r2ne winstall/02937/1 
91.209.238.2/r2 hit/7/0/0 

This is perhaps the first recorded case of cybercriminals 
ignoring the basics of micro-payments, and emphasiz¬ 
ing on profit margins by attempting to extort the amount of 
$400. 

Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 
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[11 ]iHacked: jailbroken iPhones compromised, $5 ransom 
demanded 

[12]New LoroBot ransomware encrypts files, demands $100 
for decryption 



[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Scareware meets ransomware: "Buy our fake product 
and we'11 decrypt the files " 

[15] Who's behind the GPcode ransomware? 

[16] How to recover GPcode encrypted files? 

[17JSMS Ransomware Displays Persistent Inline Ads 
[18JSMS Ransomware Source Code Now Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 

[20] 4th SMS Ransomware Variant Offered for Sale 

[21] 5th SMS Ransomware Variant Offered for Sale 

[22] 6th SMS Ransomware Variant Offered for Sale 

This post has been reproduced from [23]Dancho Danchev's 
blog. Follow him [24]on Twitter. 
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Copyright Violation Alert Themed Ransomware in the 
Wild (2010-04-12 19:51) 

UPDATED: Wednesday; April 28, 2010: The universal 
license code required in the " Enter a previously purchased 
license code" window is RFHM2-TPX47-YD6RT-H4KDM 

The copyright violation alert themed ransomware campaign ( 

[lJCopyright violation alert ransomware in the 























wild; [2JICPP Copyright Foundation is Fake ) is not just a 
novel approach for extortion of the highest amount of money 
seen in ransomware variants so far, but also, offers 
interesting clues into the multitasking mentality of the 
cybercriminals whose campaigns have already been profited. 

The bogus ICPP Foundation (icpp-online.com - 
193.33.114.77 - Email: ovenersbox@yahoo.com) describes it¬ 
self as: 

" We are a law firm which specialises in assisting intellectual 
property rights holders exploit and enforce their rights 
globally. Illegal file sharing costs the creative industries 
billions of pounds every year. The impact of this is huge, 
resulting in job losses, declining profit margins and reduced 
investment in product development. Action needs to be 
taken and we believe a coordinated effort is needed now, 
before irreparable damage is done. 
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We have developed effective and unique methods for 
organisations to enforce their intellectual rights. By working 
effectively with forensic IT experts, law firms and anti-piracy 
organisations, we seek to eliminate the illegal distribution of 
copyrighted material through our revolutionary business 
model. Whilst many companies offer anti-piracy measures, 
these are often costly and ineffective. Our approach is quite 
the opposite, it generates revenue for rights holders and 
effectively decreases copyright infringement in a measurable 
and sustainable way. We offer high quality advice and 
excellent client care by delivering a thorough and reliable 
service. If you are interested in our services, please contact 
us for a no obligation consultation. " 


[3]Responding to the same IP (193.33.114.77) are also: 
green-stat.com - Email: tahli@yahoo.com 
media-magnats.com - Email: tahli@yahoo.com 

Where do we know the tahli@yahoo.com email from? From 

the "[4]The Koobface Gang Wishes the Industry 

"Happy Holidays" where it was used to register Zeus C &Cs 
as well as money mule recruitment domains, from the 

"[5] Money Mule Recruitment Campaign Serving Client- 
Side Exploits" where it was used to register the client-side 
exploit serving mule recruitment site, and most recently 
from "[6]Keeping Money Mule Recruiters on a Short 
Leash 

- Part Four" used in another mule recruitment site 
registration. 

What's particularly interesting about the ransomware 
variant, is the fact that it has been localized to the following 
languages: Czech, Danish, Dutch, English, French, German, 
Italian, Portuguese, Slovak and Spanish, as well as the fact 
that it will attempt to build its torrents list from actual torrent 
files it is able to locate within the victim's hard drive. 

Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 
%) 

- iqmanager.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 
(12.83 %) 

- uninstall.exe - [9]Reser.Reputation.l - Result: 1/39 (2.57 
%) 



Upon execution, the sample phones back to 
91.209.238.2/m5install/774/l (AS48671, GR0ZA-A5 
Cyber Inter¬ 
net Bunker) with the actual affiliate ID " afid=774" found in 
the settings.ini file. Active on the same IP are also related 
phone back directories, from different campaigns" 

91.209.238.2/r2ne winsta Il/freemen/1 
91.209.238.2/r2ne winstall/02937/1 
91.209.238.2/r2 hit/7/0/0 

This is perhaps the first recorded case of cybercriminals 
ignoring the basics of micro-payments, and emphasiz¬ 
ing on profit margins by attempting to extort the amount of 
$400. 
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Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 

[11 ]iHacked: jailbroken iPhones compromised, $5 ransom 
demanded 

[12] New LoroBot ransomware encrypts files, demands $100 
for decryption 

[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Scareware meets ransomware: "Buy our fake product 
and we'll decrypt the files " 



[15] Who's behind the GPcode ransomware? 

[16] How to recover GPcode encrypted files? 

[17JSMS Ransomware Displays Persistent Inline Ads 
[18JSMS Ransomware Source Code Now Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 

[20] 4th SMS Ransomware Variant Offered for Sale 

[21] 5th SMS Ransomware Variant Offered for Sale 

[22] 6th SMS Ransomware Variant Offered for Sale 

This post has been reproduced from [23]Dancho Danchev's 
blog. Follow him [24]on Twitter. 

1. http://bloas.zdnet. com/securit v/? o=6095 

2. htto://www. f-secure. com/webloa/archives/00001931. html 

3. 

htto://msm vos. com/bloas/s o vwaresucks/archi ve/2010/04/12/ 
1763297. a s ox 

4. htto.V/ddanchev.blo as oot.com/2009/12/koobface-aan a- 
wishes-industrv-ha pp v.html 

5. http.V/ddanchev.blo as pot.com/2010/03/monev-mule- 
recruitment-campaian-servina.html 

6. http.V/ddanchev.blo as pot.com/2010/04/keepina-mone v- 
mule-recruiters-on-short. html 


7 . 


























htto://www. virustotal. com/analisis/dd0d00fec6564d52ad291 e 

8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8-12710 

70143 

8 . 

htto://www. virustotal. com/analisis/1301037ea0315e6c4d001 

a 7e4630ed7484e9b3b5d70 7f65f231 e62e4fdl 1789 7-12710 

73080 

9. 

http://www. virustotal. com/analisis/fl 91 a 7442c6c04b69d0ba4 

3 fa 79 f3 7092aa2ec83 7c944828a502cfa2965dla08-12710 

76413 

10. http://bloas.zdnet. com/securit v/? p=5 731 

11. http://bloas.zdnet.com/securit v/? p=4805 

12. http://bloas.zdnet. com/securit v/? p=4 748 

13. http://bloas.zdnet. com/securit v/? p=3197 

14. http://bloas.zdnet. com/securit v/? p=3014 

15. http://bloas.zdnet. com/securit v/? p=1259 

16. http://bloas.zdnet.com/securit v/? p=1280 

17. http://ddanchev.blo as pot. com/2009/09/sms-ransomware- 
dis pla vs- persistent.html 


18. http://ddanchev.blo as pot.com/2009/Q5/sms-ransomware- 
source-code-no w-offered.html 






































19. htto.V/ddanchev.blo as pot.com/2009/05/3rd-sms- 
ransomware-variant-offered-forhtml 


20. http://ddanchev.blo as pot.com/2009/07Z4th-sms- 
ransom ware-variant-offered-for. html 

21. http://ddanchev.blo as pot.com/2009/07Z5th-sms- 
ransom ware-variant-offered-for. html 

22. http://ddanchev.blo as pot.com/2009/Q8/6th-sms- 
ransom ware-variant-offered-for. html 


23. htto.V/ddanchev.blo as pot.com/ 

24. htto://twitter.com/danchodanchev 
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iPhone Unlocking Themed Malware Campaign 
Spamvertised (2010-04-14 20:20) 

UPDATED: Sunday, April 18, 2010: The folks at 
[lJEmergingThreats pinged me on the fact that immediately 
after the brief assessment went public, the cybercriminals 
moved iphone-iphone.info to 174.37.172.68 (SoftLayer 
Technologies Inc.) Currently responding to the same IP are 
also the following domains known to have been connected 
with previous malware campaigns - startexag.com - Email: 
venterprize@gmaii.com; exposingpics.com, and 
animezhd.com. 

Researchers from [2]BitDefender are reporting on a currently 
spamvertised malware campaign, using a " Unlock, Jailbrake 
and "hack"tivate iPhone 


3.1.3" theme. 

















The 


spamvertised 

domain 

iphone-iphone.info 


188.210.236.181 


Email: 

iphone- 

iphone.info@protecteddomainservices.com, is enticing the 
end user into download the malware from 

pepd.org/blackraln.exe -188.210.236.109 - Email: 
pepd. org@protecteddomainservices. com. 
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Detection rate: blackraln.exe - [3 JTrojan.BAT. A ACL - Result: 
10/40 (25 %), with the malware itself attempting to change 
the default DNS settings on the infected hosts to the 
following IP - 188.210.236.250 (188-210-236- 
250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de 
Aries, Nr 3, Bi 5B, Sc A, Ap 39, Bucuresti, 6. 

- Creates the following registry entry in an attempt to 
change default DNS settings: 


HKEY LOCAL _MACHiNE\SYSTEM\ControiSet001 \Ser 
vices\Tcpip\Parameters\lnterface s| {5D19E473-BE30-416B- 

B5C7-D8A 091C41D2F } "NameServer" = 188.210.236.250 

- Creates Process - Filename () CommandLine: 

(C:\WIND0WS\system32\NETSH. EXE: interface ip set dns 
"Local Area Connection" static 188.210.236.250) As User: 

() Creation Flags: (CREATE_DEFAULT ERROR _MODE CREATE 
SUSPENDED) interface ip set dns "wireies 

network connection" static 188.210.236.250) As User: () 
Creation Flags: (CREATE DEFAULT ERROR _MODE CREATE 

SUSPENDED) 

From Romania, with DNS changing malware. 

This post has been reproduced from [4]Dancho Danchev's 
blog. Follow him [5Jon Twitter. 

1. htto://www. emer ain athreats.net/ 

2. http://www.ma lwarecitv.com/blo a/i Dhone-unlockina-tricks- 
aet-pcs-into-trouble- 791 . him I 

3. 

http://www. virustotal.com/analisis/f99906a458042a4ca f5fc07 

193fb54c290c55560c28c35ba78b5a95bldfe0fe8-12712 

67435 

4. htto://ddanchev.blo as oot.com/ 
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5. htto://twitter.com/danchodanchev 
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Face book FarmTown Malvertising Campaign Courtesy 
of the Koobface Gang (2010-04-16 19:03) 

Earlier this week, another malvertising campaign affected a 
popular community, in the face of Facebook's FarmTown. 

You have to analyze, and cross-check it to believe it. 

Key summary points: 

• the email test@now.net.cn used to register all the domains 
involved in the malvertising campaign, is exclusively used by 
the Koobface gang for numerous sea reware registrations 
seen - 

a 
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Dissecting the WordPress Blogs Compromise at 
Network Solutions (2010-04-18 23:31) 

UPDATED: Network Solutions [ljissued an update to the 
situation. 

The folks at Sucuri Security have posted an update on 

[2]the reemergence of mass site compromises at Net¬ 
work Solutions, following [3]last week's WordPress 
attack. 

What has changed since last week's campaign? Several new 
domains were introduced, including new phone 



back locations, with the majority of new domains once again 
parked on the same IP as they were last week - 

64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for 
Lunarpages by MZIMA. 

The exploitation chain of the currently embedded domain is 
as follows: 

- corpadsinc.com/grep /?spl=3 &br=MSIE &vers=7.0 
&s= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spl=ActiveX pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 

- corpadsinc.com /grep/j2 079.jar 

Detection rates for some of the obtained exploits: 

- update, vbe - [4]VB5:Encrypted-gen; Trojan- 
Downloader.VBS.Agent.yw - Result: 11/40 (27.5 %) 

- j2 079.jar - [5jExpioit.Java.29; Exploit.Java.CVE-2009- 
3867. c; JAVA/Byteverify. O - Result: 5/40 (12.5 %) 1210 
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Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy 
aut-num for Lunarpages by MZIMA are also: 

binglbalts.com - Email: aiexl978a@bigmir.net 

corpadsinc.com - Email: alexl978a@bigmir.net 


fourkingssports.com - Email: alexl978a@bigmir.net 
networkads.net - Email: aiexl978a@bigmir.net 
mainnetsoii.com - Email: alexl978a@bigmir.net 

lasvegastechreport.com 
ma uiexperts, com 
ma uisportsinsider. com 

Upon successful exploitation from corpadsinc.com the 
campaigns drops load.exe - [6]Trojan:Win32/Meredrop; 
Trojan. Win32.Sasfis.a (v) - Result: 7/40 (17.50 %). 

The sample load.exe also phones back to the following 
locations: 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&b=7231522200 &tm=8 -188.124.16.95 - Email: 

alexl 978a@bigmir. net 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&tid=6 &b=7231522200 &r=l &tm=9 

-188.124.16.96 /blackout _dem.exe 

Detection rate for blackout _dem.exe - [7]Trojan-Dropper - 
Result: 7/40 (17.5 %) which phones back to 

mazcostrol.com/inst.php ?aid=blackout - 

188.124.16.103 - Email: alexl978a@bigmir.net. 

Interestingly, the sample attempts to install a Firefox add-on 
in the following way: 



%ProgramFUes 

%\Mozilla 

Fire fox I extensions I 

{8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xui - MD5: 

963136ADAA2B1C823F6C0E355800CE02 Detected by 
different vendors as IRC/Flood.gen.h or TROJ BUZUS.ZYX; 

1211 

it's also worth pointing out that the campaign's admin panel 
is pointing to a third-party - cybercrime friendly IP that's 
currently offline - corpadsinc.com/grep/stats.php -> 
HTTP/1.1 302 Found at 217.23.14.25, AS49981, 
WorldStream = Transit imports = -CAIW. 

The bottom line - although [8]Network Solutions criticized 
the [9/media last week, for blaming this [10Jon Net¬ 
work Solutions, or [HJWordPress itself, the company should 
realize that for the sake of its reputation it should always use 
the following mentality - " protect the end user from himself" 
when offering any of its services. 

Related WordPress security resources: 

[12J20 Wordpress Security Plug-ins And Tips To keep Hackers 
Away 

[13] 11 Best Ways to Improve WordPress Security 

[14J20+ Powerful Wordpress Security Plugins and Some Tips 
and Tricks 



This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. http://bloa. networksolutions. com/2010/we-feel-vour-oain - 
and-are-workina-hard-to-fix-this/ 

2. htto://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

3. http://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

4. 

htto.V/www. virustotal. com/analisis/1486cf5ccaa9d4539b8743 

cl 96ccb448ca40 7Jccfefadb J45468a4c43fSS9f23-l 2716 

24610 

5. 

http://www. virustotal. com/analisis/18dbae8296el274259edf 

49d0e35cl b911 c56adl 021 ef5ca6a5f49b9b915c2db-12 716 

24626 

6 . 

htto://www. virustotal. com/analisis/9e4edc0064249f2cd5cfcb 

89 7a 6c66a4ea3b9955e444dl 4b45 7e6afabfl 6dfl 5-12716 

16768 

7. 

http://www. virustotal. com/analisis/5c84af8ec355cc2d534914 

26810c2el5579092f85f0d27248el3860476c76671-12716 

























24608 


8. http://bloa.networksolutions.com/201O/alert-WordPress- 
bloa-network-solutions/ 

9. http://bloa. networksolutions. com/2010/uodate-word-oress- 
issue-fixed/ 

10. httoV/bloa.networksolutions.com/201O/uodate-word- 
press-issue-fixed/ 

11. http://wordpress. ora/development/2010/04/fiie- 
oermissions/ 

12. htto://bloa. taraaana. com/index, oh o/archive/20- 
wordoress-securit v- Dlua-ins-and-tiDS-to-keeD-hackers-a wa v/ 

13. http://www.orobloadesian.com/wordoress/11 -best-wa vs- 
to-imorove-wordoress-securit v/ 

14. htto://soeckvbov. com/2009/09/22/20-oowerful-wordoress- 
securit v- o/uains-and-some-tios-and-tricks/ 

15. htto.V/ddanchev.blo as oot. com/ 

16. htto://twitter.com/danchodanchev 
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Dissecting the WordPress Biogs Compromise at 
Network Solutions (2010-04-18 23:31) 

UPDATED: Network Solutions [1 /issued an update to the 
situation. 

The folks at Sucuri Security have posted an update on 

[2]the reemergence of mass site compromises at Net- 

















































work Solutions, following [3]last week's WordPress 
attack. 

What has changed since last week's campaign? Several new 
domains were introduced, including new phone 

back locations, with the majority of new domains once again 
parked on the same IP as they were last week - 

64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for 
Lunarpages by MZIMA. 

The exploitation chain of the currently embedded domain is 
as follows: 

- corpadsinc.com/grep /?spl=3 &br=MSIE &vers=7.0 
&s= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spl=ActiveX pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 

- corpadsinc.com /grep/j2 079.jar 

Detection rates for some of the obtained exploits: 

- update, vbe - [4]VBS:Encrypted-gen; Trojan- 
Downloader.VBS.Agent.yw - Result: 11/40 (27.5 %) 

- j2 079.jar - [5jExpioit.Java.29; Exploit.Java.CVE-2009- 
3867. c; JAVA/Byteverify. O - Result: 5/40 (12.5 %) 1213 


Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy 
aut-num for Lunarpages by MZIMA are also: 

binglbalts.com - Email: aiexl978a@bigmir.net 

corpadsinc.com - Email: alexl978a@bigmir.net 

fourkingssports.com - Email: alexl978a@bigmir.net 

networkads.net - Email: alexl978a@bigmir.net 

mainnetsoil.com - Email: alexl978a@bigmir.net 

las vegastechreport. com 

ma uiexperts, com 

ma uisportsinsider. com 

Upon successful exploitation from corpadsinc.com the 
campaigns drops load.exe - [6]Trojan:Win32/Meredrop; 
Trojan. Win32.Sasfis.a (v) - Result: 7/40 (17.50 %). 

The sample load.exe also phones back to the following 
locations: 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&b=7231522200 &tm=8 - 188.124.16.95 - Email: 

alexl 978a@bigmir. net 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&tid=6 &b=7231522200 &r=l &tm=9 

-188.124.16.96 /blackout _dem.exe 

Detection rate for blackout _dem.exe - [7]Trojan-Dropper - 
Result: 7/40 (17.5 %) which phones back to 



mazcostrol.com/inst.php ?aid=blackout - 

188.124.16.103 - Email: alexl978a@bigmir.net. 

Interestingly, the sample attempts to install a Firefox add-on 
in the following way: 


%ProgramFUes 

%\Mozilla 

Firefox I extensions I 

{8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xul - MD5: 

963136ADAA2B1C823F6C0E355800CE02 Detected by 
different vendors as IRC/Flood.gen.h or TROJ BUZUS.ZYX; 
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It's also worth pointing out that the campaign's admin panel 
is pointing to a third-party - cybercrime friendly IP that's 
currently offline - corpadsinc.com/grep/stats.php -> 
HTTP/1.1 302 Found at 217.23.14.25, A549981, 
WorldStream = Transit imports = -CAIW. 

The bottom line - although [8]Network Solutions criticized 
the [9]media last week, for blaming this [10Jon Net¬ 
work Solutions, or [11 ] Word Press itself, the company should 
realize that for the sake of its reputation it should always use 
the following mentality - " protect the end user from himself" 
when offering any of its services. 


Related WordPress security resources: 



[12] 20 Word press Security Plug-ins And Tips To keep Hackers 
Away 

[13] 11 Best Ways to Improve Word Press Security 

[14J20+ Powerful Word press Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. http://bloa.networksolutions.com/201O/we-feei-vour-pain- 
and-are-workina-hard-to-fix-this/ 

2. httD://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

3. httD://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

4. 

htto://www. virustotal. com/analisis/1486cf5ccaa9d4539b8743 

cl 96ccb448ca40 7Jccfefadb 745468a4c43f333f23-l 2716 

24610 

5 . 

htto://www. virustotal. com/analisis/18dbae8296el274259edf 

49d0e35cl b911 c56adl 021 ef5ca6a5f49b9b915c2db-12 716 

24626 

6 . 

htto://www. virustotal. com/analisis/9e4edc0064249f2cd5cfcb 

897a 6c66a4ea3b9955e444dl 4b45 7e6afabfl 6dfl 5-12716 
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7. 

http: 7/www. virustotai com/analisis/5c84af8ec355cc2d534914 

26810c2el 5579092f85 Wd2 7248el 38604 76c 766 71-12716 

24608 

8. htto://bloa.networksolutions.com/2010/alert-WordPress- 
bloa-network-solutions/ 

9. htto://bloa.networksolutions.com/201O/uodate-word-oress- 
issue-fixed/ 

10. http://bloa.networksolutions.com/2010/update-word- 
press-issue-fixed/ 

11. http://wordpress. ora/development/2010/04/file- 
oermissions/ 

12. htto://bloa. taraaana. com/index, oh o/archive/20- 
wordoress-securit v- Dlua-ins-and-tios-to-keeD-hackers-awa v/ 

13. htto:7/www.orobloadesian.com/wordoress/11 -best-wa vs- 
to-imoro ve-word press-securit y/ 

14. htto://soeckvbov. com/2009/09/22/20-oowerful- wordoress- 
securit v- Dluains-and-some-tiDs-and-tricks/ 

15. htto.V/ddanchev.blo as oot. com/ 

16. htto://twitter.com/danchodanchev 
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The DNS Infrastructure of the Money Mule 
Recruitment Ecosystem (2010-04-20 18:46) 

What's the most static element of the vibrant money mule 
recruitment ecosystem? It's the DNS infrastructure that the 
the cybercriminals behind the campaigns repeatedly use to 
push new scams. 

This post aims to expose the name servers involved, the 
associates /\5s, using the research previously con¬ 
ducted on their recruitment campaigns, and their affiliations 
with multiple other cybercrime activities. 

Moreover, it's main objective is the emphasize on the fact 
that - cybercrime should stop being treated as a 

country/region specific problem, instead it should be 
treated as an international problem, with each and 
every country having its own share of cybercrime 
activity. 

• " The whole is greater than the sum of its parts" - 
[ 1 JAristotle 
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With money mule recruitment available as-a-service 
([2]Standardizing the Money Mule Recruitment 
Process) the post will only detail the activities of what's 
referred to as a " mule recruitment syndicate", in short, one 
of the most prolific syndicates with direct connections to 
numerous related cybercrime campaigns profiled over the 
past 6 


months. 


What makes an impression is the geographical distribution of 
the name servers. 11 of them are based in the 

Netherlands , another 11 are based in China , followed by 11 
more based in the United States. Here's the list of the 
related ASs and their occurrences: 

• AS34305, EUROACCESS Global Autonomous System - 

The Netherlands -11 name servers 

• AS38356, TimeNet - China -11 name servers 

• AS46664, VolumeDrive - United States -11 name 
servers 

• AS30517, Great Lakes Comnet, Inc. - United States - 9 
name servers 

• AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity - United States - 9 name servers 

• AS29182, ISPSYSTEM-AS ISPsystem Autonomous 
System - Belgium - 8 name servers 

• AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name 
servers 
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Moreover, this persistent money mule recruitment syndicate 
has a domain registrar of choice in the face of the 

Turkish, [3JALATRON BUD., which is seen in the majority of 
domain registrations. 

The following active name servers have been gathered 
from the money mule recruitment campaigns profited 

in previous posts: 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [7]Keeping Money Mule Recruiters on a Short Leash 

• [8]Keeping Reshipping Mule Recruiters on a Short Leash 

nsl.aiwaysexit.com - 92.63.111.146 - Email: 
sob@bigmaiibox.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 


ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet 

nsl.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet 

nsl.bizrestroom.ee - 92.63.110.85 - Email: hook@5mx.ru - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.bizrestroom.ee -193.104.106.30 - AS34305, 
EUROACCESS Global Autonomous System 

ns3.bizrestroom.ee - 222.35.143.234 - AS38356, TimeNet 
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nsl.ehinegrowth.ee - 92.63.111.196 - Email: 
duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet 

nsl.ennandpizza.ee - 87.118.81.75 - Email: 
bears@fastermail.ru - AS31103, KEYWEB-AS Key web AG 

ns2.cnnandpizza.cc -193.104.106.30 - AS34305, 
EUROACCESS Global Autonomous System 


ns3.cnnandpizza.cc - 222.35.143.236 - A538356, TimeNet 

nsl.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 
64.85.160.0/20, A530517, Great Lakes Com net, Inc. 

ns2.greezly.net - 204.12.217.250 - A532097, RoadRunner 
RR-RC-Wholesale Internet, Inc.-KansasCity ns3.greezly.net 
-204.124.182.151 - AS46664, VolumeDrive 

nsl.maninwhite.ee - 92.63.111.146 - Email: 
duly@fastermail.ru - 92.63.110.0/23 - A529182, ISPSYSTEM- 
AS ISPsystem Autonomous System 

ns2.maninwhite.ee - 85.12.46.3 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.maninwhite.ee - 222.35.143.234 - AS38356, TimeNet 
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nsl.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru 
- 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet 

nsl.sandhouse.ee - 64.85.174.146 - Email: 
taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great 


Lakes Comnet, Inc. 


ns2.sandhouse.cc - 204.12.217.253 - A532097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.sandhouse.cc - 74.118.194.82 - A546664, 
VolumeDrive 

nsl.translatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru - 92.63.110.0/23 - AS29182, 
ISPSYSTEM-AS 

ISPsystem Autonomous System 

ns2.translatasheep.net - 85.12.46.2 - AS34305, 
EUROACCESS Global Autonomous System 

ns3.translatasheep.net - 222.35.143.112 - AS38356, 
TimeNet 

nsl.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet 
1222 


£ 




£ 


£ 


nsl.viewdreamer.com - 64.85.174.143 - 
free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes 
Comnet, Inc. 


ns2.viewdreamer.com - 204.12.217.250 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.viewdreamer.com - 74.118.194.82 - A546664, 
VolumeDrive 

nsl.volcanotime.com - 64.85.174.144 - Email: 
hs@bigmailbox.ru - A530517, Great Lakes Com net, Inc. 

ns2.volcanotime.com -204.12.217.251 - A532097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.voicanotime.com - 74.118.194.88 - A546664, 
VolumeDrive 

nsl.weathernot.net - 64.85.174.145 - Email: 
bowls@5mx.ru - A530517, Great Lakes Comnet, Inc. 

ns2.weathernot.net - 204.12.217.252 - A532097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.weathernot.net - 74.118.194.89 - AS46664, 
VolumeDrive 

nsl.worldslava.ee - 64.85.174.145 - Email: 
fussy@bigmailbox.ru - A530517, Great Lakes Comnet, Inc. 

ns2.worldslava.ee - 204.12.217.252 - A532097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.worldsiava.ee - 74.118.194.84 - A546664, 
VolumeDrive 


nsl.jockscreamer.net - 64.85.174.144 - Email: 
free@freenetbox.ru - A530517, Great Lakes Com net, Inc. 

ns2.jockscreamer.net - 204.12.217.251 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.jockscreamer.net - 74.118.194.83 - AS46664, 
VolumeDrive 

nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - 
AS30517, Great Lakes Comnet, Inc. 

ns2.uleaveit.com - 204.12.217.253 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.uieaveit.com - 74.118.194.85 - AS46664, 

VolumeDrive 

nsl.bergamoto.com - 74.118.194.84 - Email: 
nine@freenetbox.ru - AS46664, VolumeDrive 

ns2.bergamoto.com - 222.35.143.235 - AS38356, 

TimeNet 

ns3.bergamoto.com - 85.12.46.2 - AS34305, 

EUROACCESS Global Autonomous System 

nsl.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - 
AS46664, VolumeDrive 

ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet 

ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global 
Autonomous System 
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nsl.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - 
AS30517, Great Lakes Comnet, Inc. 

ns2.peseniife.net - 204.12.217.254 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.pesenlife.net - 74.118.194.86 - AS46664, 

VolumeDrive 

The business model if this syndicate can be easily 
compared to the business model of the much hyped Rus¬ 
sian Business Network in the sense that, they are either 
managing the infrastructure for someone else as a service, 
are directly involved in the recruitment and utilization of 
money mules for their own purposes, or a basically building 
inventory of mules to offer as a service to a large number of 
cybercriminals. 

The basic fact that these folks are not campaign-centered, 
but continue maintaining their ecosystem, puts 

them on the top of watch list for months to come. 

Related coverage of money laundering in the context 
of cybercrime: 

[9]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[lOJMoney Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahoo! 's Web Hosting 



[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21 JDancho Danchev's 
blog. Follow him [22Jon Twitter. 

1. htto://www. good reads, com/author/auotes/2192.Aristotle 

2. htto.V/ddanchev.blo as oot. com/2009/10/standardizin a- 
mone v-muie-recruitment. him I 

3. httos://www. alantron. com/ 

4. htto.V/ddanchev.blo as oot.com/2010/04/keeDina-mone v- 
m ule - recruiters - on - short. h tml 

5. htto.V/ddanchev.blo as oot.com/2010/03/keeDina-mone v- 
mule-recruiters-on-short.html 

6. htto.V/ddanchev.blo as oot.com/2010/02/keeDina-mone v- 
mule-recruiters-on-short.html 






















7. htto.V/ddanchev.blo as oot.com/2009/1 1/keeoina-mone v- 
mule-recruiters-on-short.html 

8. htto.V/ddanchev.blo as oot. com/2009/12/keeoin a- 
reshi o oina-mule-recruiters-on.html 
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11. htto.V/ddanchev. blo as oot. com/2010/03/keeoina-mone v- 
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mule-recruiters-on-short.htm / 

15. htto.V/ddanchev. blo as oot. com/2009/12/keeoin a- 
reshi D oina-mule-recruiters-on.html 

16. htto.V/ddanchev. blo as oot. com/2009/11/keeoina-mone v- 
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19. httD.V/ddanchev.blo as DOt.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 


20. htto.V/ddanchev.blo as oot.com/2008/10/monev-mules 
s vndicate-activelv.html 

21. htto.V/ddanche i/. blo as oot. com/ 

22. http://twitter, com/danchodanchev 
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Dissecting Koobface Gang's Latest Face book 
Spreading Campaign (2010-04-27 14:53) 

UPDATED: Thursday, April 29, 2010: Google is aware of 
these Blogspot accounts, and is currently suspending them. 

During the weekend, our "dear friends" from [l]the 
Koobface gang - folks, you're so not forgotten, with the 
scale of diversification for your activities to be publicly 
summarized within the next few days - launched another 
spreading attempt across Facebook, with Koobface-infected 
users posting bogus video links on their walls. 

• Recommended reading: [2J10 things you didn't know 
about the Koobface gang 

What's particularly interesting about the campaign, is that 
the gang is now start to publicly acknowledge its 
connections with [3 Jxorg.pl (Malicious software includes 
40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), 
with an actual subdomain residing there embedded on 
Koobface-serving compromised hosts. 















Moreover, the majority of sea reware domains, including the 
redirectors continue using hosting services in 

Moldova, A531252, STARNET-AS StarNet Moldova in 
particular. 

• [4] Koobface Redirectors and Scareware Campaigns 
Now Hosted in Moldova 

1227 


£ 


With the campaign still ongoing it's time to dissect it, 
expose the scareware domains portfolio and the A529073, 
ECATEL-A5 connection, with the Koobface gang a loyal 
customer of their services since November, 2009. A529073, 
ECATEL-AS Koobface gang connections: 

• [5] Koobface Botnet's Scareware Business Model - 
Part Two 

• [6]The Koobface Gang Wishes the Industry "Happy 
Holidays" 

Automatically registered Blogspot accounts used as bogus 
video links across Face book: 

aashikamorsing. blogspot. com 

alpezajeromie. blogspot. com 

andcoldjackey. blogspot. com 

asiaasiabenzaidi. blogspot. com 

a talaygraciani. blogspot. com 


barsheshetshakirat. blog spot, com 
battittastelzer. blog spot, com 
beckermasico. blog spot, com 
biedlerharjit. blog spot, com 
britainudobot. blog spot, com 
bruchnadirnadir. blog spot, com 
bryonbryonhofhenke. blog spot, com 
cecelia verner. blog spot, com 
centofantia viran. blog spot, com 
codeycodeymarcott. blog spot, com 
cottinghamginnyginny. blog spot, com 
courtenayharry. blog spot, com 
dalton-da viesheinee. blog spot, com 
dipietroaudrea.blogspot. com 
ericssonbrigid. blog spot, com 
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ervinervinturnquest. blog spot, com 
fashingbauerkylerkyler. blog spot, com 
felicetanae. blog spot, com 
friedamignogna. blog spot, com 



friedlamiraslani. blog spot, com 
garthgarthheal. blog spot, com 
ga vin-williamslielie. blog spot, com 
ginnoviaharbottle.blogspot. com 
grinolsisanna.blogspot. com 
hamiltondesantis. blog spot, com 
hananhananmoros-hanley. blog spot, com 
heberheberdellinger. blog spot, com 
iftikharkacykacy. blog spot, com 
imtiazzimmer. blog spot, com 
ireneirenejasmen. blog spot, com 
jacojaco wintermeyer. blog spot, com 
jameishaleninger. blog spot, com 
jhalaagustin.blogspot. com 
johnathenmirani. blog spot, com 
kassablynnelle. blog spot, com 
kaycieazoni. blog spot, com 
keeferjeneejenee.blogspot.com 
keibakeibaclarembeaux. blog spot, com 
kieroncro wdus. blog spot, com 



kileu lien head head, blog spot, com 
kreuzaa vins. blog spot, com 
labbatoalphaj. blog spot, com 
lellpeyton. blog spot, com 
marleenmckoi. blog spot, com 
mccarlbargin.blogspot. com 
mendizabalnayranayra.blogspot. com 
mitranoshaghayegh. blog spot, com 
momoneybeltz. blog spot, com 
m ushenkolirian. blog spot, com 
na varretem earth ur. blog spot, com 
nekolnekoltasler. blog spot, com 
nigh trasteyn. blog spot, com 
n ushn ushca ve. blog spot, com 
ortiz-maynardyvreene. blog spot, com 
padalinodarcydarcy. blog spot, com 
pan tslalala. blog spot, com 
papsteinhatem wahsh.blogspot. com 
pa van pa vandekelver. blog spot, com 
pencekleighan. blog spot, com 



puzderdenzel. blog spot, com 
rabiarabiacarruth.blogspot. com 
raeferaefejhanmmat.blogspot.com 
raheelolu. blog spot, com 
ranaranakundu.blogspot.com 
sabeenhunjan. blog spot, com 
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serroukhshymia. blog spot, com 
sertimamislay. blog spot, com 
shannonschronce. blog spot, com 
sheridanpaltiel. blog spot, com 
slomovitzvaughna. blogs pot. com 
soccicoitcoit. blog spot, com 
stengel-bohneina veina v. blog spot, com 
suedeglenna. blog spot, com 
sylvainbarnes-ri vers, blog spot, com 
tammeybutenko. blog spot, com 
tartagliatrayvis. blog spot, com 
tasunanette. blog spot, com 
teddiedommasch.blogspot. com 



temitopetodoro va. blog spot, com 
terranovataiwan.blogspot. com 
torneyatsushi. blog spot, com 
tro vatohaiahaia. blog spot, com 
tuncelintrieri. blog spot, com 
vislayo vado vad. blog spot, com 
wellkensie. blog spot, com 
yabsleyjessajessa.blogspot. com 
zedzedmorelle. blog spot, com 

UPDATED: Thursday, April 29, 2010: Another update 
Blog spot Accounts courtesy of the Koobface gang: 

aaslehnekaya. blog spot, com 

aimanaimanpaulis. blog spot, com 

altonaltonbruyninckx. blog spot, com 

annemiekenorford. blog spot, com 

asghardch. blog spot, com 

a tencioishmael. blog spot, com 

ativanichayaphongdionysios. blog spot, com 

ayorindesa voia. blog spot, com 

bagnoandreae. blog spot, com 



bakalarczykmaipumaipu. blog spot, com 
baribarithulin. blog spot, com 
be a vorda wneda wne. blog spot, com 
boninidivandivan. blog spot, com 
cabooterfinne. blog spot, com 
chakkarinlehnertz. blog spot, com 
cha varriaarumugam.blogspot. com 
coleirolenaylenay. blog spot, com 
colkittmogens. blog spot, com 
crummittgerhardt. blog spot, com 
dahmeiale veque.blogspot. com 
dalmolinparamparam. blog spot, com 
danaedanaemadan. blog spot, com 
danmakumaak. blog spot, com 
dauntazusaazusa. blog spot, com 
de vrimmasaimasai. blog spot, com 
dicksdeplancke. blog spot, com 
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dormiedyismael. blog spot, com 
dremadremareany. blog spot, com 



duffinflippen. blog spot, com 
eliyahneubecker. blog spot, com 
eloragiogio. blog spot, com 
faubertmacarena.blogspot. com 
friedlamiraslani. blog spot, com 
gallianmijanija. blog spot, com 
gandolphscootscoot. blog spot, com 
garbsayrinayrin.blogspot. com 
geerbergpo vlpo vl. blog spot, com 
gennygennytjoeng. blog spot, com 
gianiniomegalmegal. blog spot, com 
griffithlampack-layton. blog spot, com 
guerrettebrchibrchi. blog spot, com 
guillemineauramyaramya.blogspot. com 
gunheedomenick.blogspot.com 
haisedymond. blog spot, com 
halahalafales. blog spot, com 
hamidoujacijaci. blog spot, com 
hamminganoush.blogspot. com 
honamisouliotis. blog spot, com 



japeriagoding. blog spot, com 
jaymeecleto. blog spot, com 
jinghuamarmorale.blogspot. com 
kadeemrebsamen.blogspot.com 
karokaroliney. blog spot, com 
kashmirahoeger. blog spot, com 
kasidasaugust. blog spot, com 
kattylaitia. blog spot, com 
kaynatferetos. blog spot, com 
kimberlikohlmann. blog spot, com 
kissikshaney. blog spot, com 
kjerstisa tterwhite-landry. blog spot, com 
korbessamessam. blog spot, com 
kozubmarshand. blog spot, com 
kruthjancijanci. blog spot, com 
krystellecahoon. blog spot, com 
kuroi wadelphdelph. blog spot, com 
laakkokimkim. blog spot, com 
labbatoalphaj. blog spot, com 
leichtmarjmarj. blog spot, com 



leludis-matarangasdeyonna. blog spot, com 
lescailletpetopeto. blog spot, com 
letsongro ver. blog spot, com 
liermanramadan. blog spot, com 
lindingrajkishan. blog spot, com 
linsjerchell. blog spot, com 
lorrilorrihosgor. blog spot, com 
maglifitfit. blog spot, com 
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matsumarudeserae. blog spot, com 
mcsteinniecey. blog spot, com 
melitalynnelynne. blog spot, com 
menezes wendywendy. blog spot, com 
mimosepalazon. blog spot, com 
mottmottzengel. blog spot, com 
naysanmutton.blogspot.com 
nicolenabershon.blogspot. com 
nidonidobueto w. blog spot, com 
ninaninalottin.blogspot. com 
nonziodarasha. blog spot, com 



pa ndushalmon. blog spot, com 
pa we I pa we I poti. blog spot, com 
paytonbeegle.blogspot. com 
phillipoeleaseleas. blog spot, com 
philpottlurelle. blog spot, com 
pipenhagennguyen.blogspot. com 
plattsdatoria. blog spot, com 
plomaritislaurylaury. blog spot, com 
polmantameltamel.blogspot.com 
polopoloangulo. blog spot, com 
porrettifarmers. blog spot, com 
radieradiecatalina. blog spot, com 
raenellegreathouse.blogspot. com 
ranaeranaerossy. blog spot, com 
reidreidmiele-crifo. blog spot, com 
rickyrickydonis. blog spot, com 
roselinegilvin.blogspot. com 
russobriarbriar. blog spot, com 
salizaguayanilla.blogspot. com 
samuelesedere.blogspot. com 



sanchepascasie. blog spot. com 
sangyoungpadalecki. blog spot, com 
scarthscre wlie.blogspot. com 
schaumburgirishirish.blogspot. com 
schubringdheledhele. blog spot, com 
scorahchreechree. blog spot, com 
shakehcoletto. blog spot, com 
shaqareqninette.blogspot.com 
sha w-zorichemmanemman.blogspot. com 
shortalgerongeron. blog spot, com 
singhoffertymisha.blogspot. com 
sinnathuraiperminas. blog spot, com 
skjutare vikram. blog spot, com 
spa ta foraannamay. blog spot, com 
staats-meliaahronahron.blogspot.com 
tagan tagankissane. blog spot, com 
tamietamiedemirkol. blog spot, com 
tamilleca vitt. blog spot, com 
tommiekerstetter. blog spot, com 
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tosunsangbum. blog spot, com 
treechadacoppage. blog spot, com 
treziajoanjoan.blogspot. com 
triadorlacha una. blog spot, com 
tukellyaburrage. blog spot, com 
tyrisao verly. blog spot, com 
ulrikaraithatha. blog spot, com 
valericlarissa. blog spot, com 
ventronejokerjoker. blog spot, com 
victorinomeharmehar. blog spot, com 
vikvikruaut. blog spot, com 
vlrajanrajan.blogspot. com 
wasonmarilynn.blogspot. com 
we ride wendeschyma. blog spot, com 
whitwhitmontoure.blogspot. com 
wynnhannan.blogspot.com 
xochitlvillen urve. blog spot, com 
yaoskalongthorne. blog spot, com 
youyoustreit. blog spot, com 


zickkirra kina, blog spot, com 

The Blog spot accounts redirect to the following 
compromised Koobface and sea re ware serving domains: 

cartujo.org /private-clips/main.php?87bb8f2 

cerclewailoncouillet.be /main.movie/main.php?28d 

cseajudiciary. org /animateddvd/main.php?c8 

de-nachtegaele.be /main/main.php?b04ebb 

ediltermo. com /common, film/main.php ?deccfd 

forward march ministries, org /candid 
_ mo vie/main.php ?42dl 

high way77truckservice.com /pretty-clip/main.php? 
7bb2 
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kcresale.com /crazyvids/main.php ?2ee 

iibermann.phpnet.org/comicperformans/main.php? 

9b5a5a 

lode-willems.be /cute _clip/main.php?be2 

lunaairforlife.com /cruciai-clips/main.php?d3d6ccfe 

mainteck-fr.com /compiete-movie/main.php?f6 

nottinghamdo wns. com /criminaltube/main.php ? 
2388d 


programs.ppbsa.org /crazy _ video/main.php?0eal969 

richmondpowerboat.com /yourtv/main.php?89fb0 

scheron.com /delightful demonstration/main.php? 
e2f92 

Training.ppbsa.org /comic_dvd/main.php?f9261f 

vangecars. it /crazy-films/main.php ?827da 

Detection rates for Koobface samples and a sampled 
scareware: 

- setup.exe - [7]Trojan.Generic.KD.8890 - Result: 9/40 
(22.50 %) phones back to: 

- proelec-dpt. fr/. 85rfs/?action=Id gen 
&a=-1394498804 &v=108 &c_fb=0 &ie=7.0.5730.13 

- proelec-dpt.fr/.85rfs/?action=fbgen &v=108 
&crc=669 

- proelec-dpt. fr/.85rfs/?getexe=p.exe 

- p.exe - [8]Trojan.Drop.Koobface.J; W32/Koobface.GUB 

- Result: 5/41 (12.2 %) 

- koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 

The scareware serving domain embedded on all of the 
Koobface-serving compromised hosts is internet- 

scanner.xorg.pl?mid=312 &code=4dbl2f &d=l &s=2 

- 195.5.161.125 - AS31252, STARNET-AS StarNet Moldova. 

Parked on 195.5.161.125 is the rest of the scareware 
domains portfolio: 



antispy-detectnl.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 
antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
1234 

antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 



antispy-scan9i.com - Email: test@now.net.cn 
antispyware-nol.com - Email: test@now.net.cn 
antispyware-no3.com - Email: test@now.net.cn 

antivirla.com.xorg.pl 

antivirus-detect21.com - Email: test@now.net.cn 
antivirus-detect23.com - Email: test@now.net.cn 
antivirus-detect25.com - Email: test@now.net.cn 
antivirus-detect27.com - Email: test@now.net.cn 
antivirus-detect29.com - Email: test@now.net.cn 
antivirus-detectzl.com - Email: test@now.net.cn 
antivirus-detectz2.com - Email: test@now.net.cn 
antivirus-detectz5.com - Email: test@now.net.cn 
antivirus-detectz7.com - Email: test@now.net.cn 
antivirus-detectz9.com - Email: test@now.net.cn 
antivirus-lvl.com - Email: test@now.net.cn 
antivirus-lv2.com - Email: test@now.net.cn 
antivirus-lv3.com - Email: test@now.net.cn 
antivirus-lv5.com - Email: test@now.net.cn 
antivirus-lv8.com - Email: test@now.net.cn 
antivirus-topl.com - Email: test@now.net.cn 



antivirus-top2.com - Email: test@now.net.cn 
antivirus-top6.com - Email: test@now.net.cn 
antivirus-top8.com - Email: test@now.net.cn 

be-secured. xorg.pl 
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bestantivirusl. com.xorg.pl 

bestscanmalware. com.xorg.pl 

best-security.xorg.pl 

defender20.xorg.pl 

fa stan ti virusscannerl 5. com.xorg.pl 

fastmalwarescanl5.com.xorg.pl 

fast-scan.xorg.pl 

fastweb-scanner. com.xorg.pl 

get-protection.xorg.pl 

my-computers.xorg.pl 

protection100.xorg.pl 

protection-centerl.xorg.pl 

protectorl 0. xorg.pl 

securelO.xorg.pl 
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security 1 .xorg.pl 
securityl 00.xorg.pl 
spy-defenderl. com 
spydefenderl. com.xorg.pl 
spydefenderl 1. com.xorg.pl 
spy-defenderla.com - Email: test@now.net.cn 
spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 
spy-defender9.com - Email: test@now.net.cn 
spy-protection01.com - Email: test@now.net.cn 
spy-protectionl.com - Email: test@now.net.cn 
spy-protectionl4.com - Email: test@now.net.cn 
spy-protectionl7.com - Email: test@now.net.cn 
spy-protectionl9.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 



spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 
spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 
spyware-sweepl.com - Email: test@now.net.cn 
spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweep2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 
spyware-sweep7.com - Email: test@now.net.cn 
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spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweep9i.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 


virus-sweeper2.com - Email: test@now.net.cn 
virus-sweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 
virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-sweeper8.com - Email: test@now.net.cn 
virus-sweeper8i.com - Email: test@now.net.cn 
win-antispywarelO. com.xorg.pl 
windefenderl .xorg.pl 
windo ws-secure.xorg.pl 
win-security.xorg.pl 
win webscannerl 0. com.xorg.pl 

Parked within A531252, STARNET-AS StarNet Moldova are 
also: 195.5.161.11; 195.5.161.145 

spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 



spy-scanner60.com - Email: test@now.net.cn 
spy-scanner80.com - Email: test@now.net.cn 
virscanner-done4.com - Email: test@now.net.cn 
virscanner-done5.com - Email: test@now.net.cn 

- Detection rate for the scareware sample: Setup 
_312s2. exe - [10] Heuristic. Beha vesLike. Win32. Trojan. H 

- Result: 5/40 (12.50 %) phones back to windows- 
mode.com/?b=lsl - 89.248.168.21 , AS29073, ECATEL-AS 
, Ecatel Network - Email: contact@privacy-protect.cn 
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Parked on the phone-back IP are also the following domains: 
firewaii-ruies2.com - Email: contact@privacy-protect.cn 
version-upgrade.com - Email: contact@privacy-protect.cn 
2accommodation.com - Email: ttvmaill2@hotmaii.com 
systemreserves.com - Email: contact@privacy-protect.cn 
cariport.com - Email: contact@privacy-protect.cn 
spyblocktest.com - Email: contact@privacy-protect.cn 
antispywarelist.com - Email: contact@privacy-protect.cn 
checkwhitelist.com - Email: contact@privacy-protect.cn 
chekmalwarelist.com - Email: contact@privacy-protect.cn 


Stay tuned for more updates on recent Koobface gang 
activities, beyond the Koobface botnet. 

Related Koobface gang/botnet research: 

[HJKoobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[12J10 things you didn't know about the Koobface gang 

[13] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[14] How the Koobface Gang Monetizes Mac OS X Traffic 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Biackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model - Part One 

[21 ]Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a Trend Micro Report 



[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 
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[28] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. h tto://twitter, com /Re a /_ Koobfa ce 

2. htto://bioas.zdnet. com/securit v/? o=5452 

3. htto://www. aooale. com/safebrowsina/diaanostic? 
site=xor a.ol/ 

4. htto://ddanchev.bio as oot. com/2010/03/koobface- 
red 1rectors-and-scare ware, htmj 

5. htto.Y/ddanchev.bio as oot.com/2009/1 l/koobface-botnets- 
scareware-business, html 

6. htto.Y/ddanchev.bio as oot. com/2009/12/i<oobface-aan a- 
wishes-industrv-ha oD v.html 

7 . 

htto://www. virustotai. com/analisis/69b 78dd99321acbl dec2 

5cad3da9e9a545cb7554195081e33ca99c23a24blQe3- 

12722 

94422 


8 . 


























htto://www. virustotal. com/analisis/ad41ffce9c9c9f70b9a69c 

5cbaac2d334b42cfb03022e59d652c493bblf3508e-12722 

94936 

9. 

http://www. virustotal. com/analisis/30f5371a67cb6001 f8bb5 

dc2076bfbl 7c24c675599e99d32adc049610bc6620b-12722 

95423 

10 . 

https://www. virustotal. com/analisis/811 Ob 790ea6600f8b 712 

cc68bl 95302c450a3993df84f7163d bb 7938d22e55d0-127 

2294429 

11. htto://ddanche v. b lo g s oot, com/2010/03/koobface- 
redirectors-and-scareware.html 

12. httD://bloas.zdnet.com/securit v/? D=5452 

13. htto.V/ddanche v. b lo g s oot, com/2010/02/diverse-oortfolio- 
of-scarewareblackhat.html 

14. http://ddanche v. b lo g s oot, com/2010/02/how-koobface- 
aana-monetizes-mac-os-x, html 

15. htto.V/ddanchev. blo as oot. com/2009/12/koobface-aan a- 
wishes-industrv-ha oo v. h tml 

16. http.V/ddanchev. blo as oot. com/2009/12/koobface- 
friendlv-nccom-ltd-as29550.html 


17. htto.V/ddanche i/. blo as oot. com/2009/11/koobface-botnet- 
starts-servina-client. html 





































18. htto.V/ddanchev. blo as oot. com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

19. htto.V/ddanchev. blo as oot. com/2009/11/koobface- 
botnets-scare ware-business, html 

20. htto.V/ddanchev. blo as oot. com/2009/09/koobface- 
botnets-scareware-business.html 

21. htto.V/ddanchev. blo as oot. com/2009/1O/koobface-botnet- 
redirects-facebooks-io.html 

22. htto://bloas.zdnet.com/securit v/? D=4594 

23. htto://content.zdnet. com/2346-12691 22-352597.html 

24. htto.V/ddanchev. blo as oot. com/2009/10/koobface-botnet- 
dissected-in-trendmicro. html 

25. htto.V/ddanchev.blo as oot.com/2009/08/movement-on- 
koobface-front-oart-two. html 

26. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front. html 

27. htto.V/ddanchev. blo as oot. com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 

28. htto.V/ddanchev. blo as oot. com/2009/07/dissectin a- 
koobface-worms-twitter. html 

29. htto.V/ddanchev. blo as oot. com/ 

30. htto://twitter, com/danchodanchev 
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Dissecting Koobface Gang's Latest Face book 
Spreading Campaign (2010-04-27 14:53) 

UPDATED: Thursday, April 29, 2010: Google is aware of 
these Blogspot accounts, and is currently suspending them. 

During the weekend, our "dear friends" from [l]the 
Koobface gang - folks, you're so not forgotten, with the 
scale of diversification for your activities to be publicly 
summarized within the next few days - launched another 
spreading attempt across Facebook, with Koobface-infected 
users posting bogus video links on their walls. 

• Recommended reading: [2]10 things you didn't know 
about the Koobface gang 

What's particularly interesting about the campaign, is that 
the gang is now start to publicly acknowledge its 
connections with [3 Jxorg.pl (Malicious software includes 
40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), 
with an actual subdomain residing there embedded on 
Koobface-serving compromised hosts. 

Moreover, the majority of sea reware domains, including the 
redirectors continue using hosting services in 

Moldova, AS31252, STARNET-AS StarNet Moldova in 
particular. 

• [4] Koobface Redirectors and Scareware Campaigns 
Now Hosted in Moldova 
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With the campaign still ongoing it's time to dissect it, 
expose the scareware domains portfolio and the AS29073, 


ECATEL-A5 connection, with the Koobface gang a loyal 
customer of their services since November, 2009. AS29073, 
ECATEL-AS Koobface gang connections: 

• [5] Koobface Botnet's Scareware Business Model - 
Part Two 

• [6]The Koobface Gang Wishes the Industry "Happy 
Holidays" 

Automatically registered Blogspot accounts used as bogus 
video links across Face book: 

aashikamorsing. blogspot. com 

alpezajeromie. blogspot. com 

andcoldjackey. blogspot. com 

asiaasiabenzaidi. blogspot. com 

a talaygraciani. blogspot. com 

barsheshetshakirat. blogspot. com 

battittastelzer. blogspot. com 

beckermasico. blogspot. com 

biedlerharjit. blogspot. com 

britainudobot. blogspot. com 

bruchnadirnadir. blogspot. com 

bryonbryonhofhenke. blogspot. com 

cecelia verner. blogspot. com 



centofantia viran. blog spot, com 
codeycodeymarcott. blog spot, com 
cottinghamginnyginny. blog spot, com 
courtenayharry. blog spot, com 
dalton-da viesheinee. blog spot, com 
dipietroaudrea.blogspot. com 
ericssonbrigid. blog spot, com 
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ervinervinturnquest. blog spot, com 
fashingbauerkylerkyler. blog spot, com 
felicetanae. blog spot, com 
friedamignogna. blog spot, com 
friedlamiraslani. blog spot, com 
garthgarthheal. blog spot, com 
ga vin- williamslielie. blog spot, com 
ginnoviaharbottle.blogspot. com 
grinolsisanna.blogspot. com 
hamiltondesantis. blog spot, com 
hananhananmoros-hanley. blog spot, com 
heberheberdellinger. blog spot, com 



iftikharkacykacy. blog spot, com 
imtiazzimmer. blog spot, com 
ireneirenejasmen. blog spot, com 
jacojaco wirite rm eye r. blog spot, com 
jameishaleninger. blog spot, com 
jhalaagustin.blogspot. com 
johnathenmirani. blog spot, com 
kassablynnelle. blog spot, com 
kaycieazoni. blog spot, com 
keeferjeneejenee.blogspot.com 
keibakeibaclarembeaux. blog spot, com 
kieroncro wdus. blog spot, com 
kilcullenheadhead. blog spot, com 
kreuzaa vins. blog spot, com 
labbatoalphaj. blog spot, com 
lellpeyton. blog spot, com 
marleenmckoi. blog spot, com 
mccarlbargin.blogspot. com 
mendizabalnayranayra.blogspot. com 
mitranoshaghayegh. blog spot, com 



momoneybeltz. blog spot, com 
m ushenkolirian. blog spot, com 
na varretemcarth ur. blog spot, com 
nekolnekoltasler. blog spot, com 
nigh trasteyn. blog spot, com 
n ushn ushca ve. blog spot, com 
ortiz-maynardyvreene. blog spot, com 
padalinodarcydarcy. blog spot, com 
pan tslalala. blog spot, com 
papsteinhatem wahsh.blogspot. com 
pa van pa vandekelver. blog spot, com 
pencekleighan. blog spot, com 
puzderdenzel. blog spot, com 
rabiarabiacarruth.blogspot. com 
raeferaefejhanmmat.blogspot.com 
raheelolu. blog spot, com 
ranaranakundu.blogspot.com 
sabeenhunjan. blog spot, com 
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serroukhshymia. blog spot, com 



sertimamislay. blog spot, com 
shannonschronce. blog spot, com 
sheridanpaltiel. blog spot, com 
slomovitzvaughna. blogs pot. com 
soccicoitcoit. blog spot, com 
stengel-bohneina vein a v. blog spot, com 
suedeglenna. blog spot, com 
sylvainbarnes-rivers. blogs pot. com 
tammeybutenko. blog spot, com 
tartagliatrayvis. blog spot, com 
tasunanette. blog spot, com 
teddiedommasch.blogspot. com 
temitopetodoro va. blog spot, com 
terra novataiwan.blogspot. com 
torneyatsushi. blog spot, com 
tro vatohaiahaia. blog spot, com 
tuncelintrieri. blog spot, com 
vislayo vado vad. blog spot, com 
wellkensie. blog spot, com 
yabsleyjessajessa.blogspot. com 



zedzedmorelle. blog spot, com 

UPDATED: Thursday, April 29, 2010: Another update 
Blogspot Accounts courtesy of the Koobface gang: 

aaslehnekaya. blogspot. com 

aimanaimanpaulis.blogspot.com 

altonaltonbruyninckx. blogspot. com 

annemiekenorford. blogspot. com 

asghardch. blogspot. com 

a tencioishmael. blogspot. com 

ativanichayaphongdionysios. blogspot. com 

ayorindesa voia. blogspot. com 

bagnoandreae. blogspot. com 

bakalarczykmaipumaipu. blogspot. com 

baribarithulin. blogspot. com 

bea vorda wneda wne. blogspot. com 

boninidivandivan. blogspot. com 

cabooterfinne. blogspot. com 

chakkarinlehnertz. blogspot. com 

cha varriaarumugam. blogspot. com 

coleirolenaylenay. blogspot. com 



colkittmogens. blog spot, com 
crummittgerhardt. blog spot, com 
dahmeialeveque.blogspot.com 
dalmolinparamparam. blog spot, com 
danaedanaemadan. blog spot, com 
danmakumaak. blog spot, com 
dauntazusaazusa. blog spot, com 
de vrimmasaimasai. blog spot, com 
dicksdeplancke. blog spot, com 
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dormiedyismael. blog spot, com 
dremadremareany. blog spot, com 
duflinflippen. blog spot, com 
eliyahneubecker. blog spot, com 
eloragiogio. blog spot, com 
faubertmacarena.blogspot. com 
friedlamiraslani. blog spot, com 
gallianinijanija. blog spot, com 
gandolphscootscoot. blog spot, com 
garbsayrinayrin.blogspot. com 



geerbergpo vlpo vl. blog spot, com 
gennygennytjoeng. blog spot, com 
gianiniomegalmegal. blog spot, com 
griffithlampack-layton. blog spot, com 
guerrettebrchibrchi. blog spot, com 
guillemineauramyaramya.blogspot. com 
gunheedomenick.blogspot.com 
haisedymond. blog spot, com 
halahalafales. blog spot, com 
hamidoujacijaci. blog spot, com 
hamminganoush.blogspot. com 
honamisouliotis. blog spot, com 
japeriagoding. blog spot, com 
jaymeecleto. blog spot, com 
jinghuamarmorale.blogspot. com 
kadeemrebsamen.blogspot.com 
karokaroliney. blog spot, com 
kashmirahoeger. blog spot, com 
kasidasaugust. blog spot, com 
kattylaitia. blog spot, com 



kaynatferetos. blog spot, com 
kimberlikohlmann. blog spot, com 
kissikshaney. blog spot, com 
kjerstisa tterwhite-landry. blog spot, com 
korbessamessam. blog spot, com 
kozubmarshand. blog spot, com 
kruthjancijanci. blog spot, com 
krystellecahoon. blog spot, com 
kuroi wadelphdelph. blog spot, com 
laakkokimkim. blog spot, com 
labbatoalphaj. blog spot, com 
leichtmarjmarj. blog spot, com 
leludis-matarangasdeyonna. blog spot, com 
lescailletpetopeto. blog spot, com 
letsongro ver. blog spot, com 
liermanramadan. blog spot, com 
lindingrajkishan. blog spot, com 
linsjerchell. blog spot, com 
lorrilorrihosgor. blog spot, com 
maglifitfit. blog spot, com 
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matsumarudeserae. blog spot, com 
mcsteinniecey. blog spot, com 
melitalynnelynne. blog spot, com 
menezes wendywendy. blog spot, com 
mimosepalazon. blog spot, com 
mottmottzengel. blog spot, com 
naysanmutton.blogspot.com 
nicolenabershon.blogspot. com 
nidonidobueto w. blog spot, com 
ninaninalottin.blogspot. com 
nonziodarasha. blog spot, com 
pandushalmon.blogspot. com 
pa we I pa we Ipoti. blog spot, com 
paytonbeegle.blogspot. com 
phillipoeleaseleas. blog spot, com 
philpottlurelle. blog spot, com 
pipenhagennguyen.blogspot. com 
plattsdatoria. blog spot, com 
plomaritislaurylaury. blog spot, com 



polmantameltamel.blogspot.com 
polopoloangulo. blog spot, com 
porrettifarmers. blog spot, com 
radieradiecatalina. blog spot, com 
raenellegreathouse.blogspot. com 
ranaeranaerossy. blog spot, com 
reidreidmiele-crifo. blog spot, com 
rickyrickydonis. blog spot, com 
roselinegilvin.blogspot. com 
russobriarbriar. blog spot, com 
salizaguayanilla.blogspot. com 
samuelesedere.blogspot. com 
sanchepascasie.blogspot. com 
sangyoungpadalecki. blog spot, com 
scarthscre wlie.blogspot. com 
schaumburgirishirish.blogspot. com 
schubringdheledhele. blog spot, com 
scorahchreechree. blog spot, com 
shakehcoletto. blog spot, com 
shaqareqninette.blogspot.com 



sha w-zorichemmanemman.blogspot. com 
shortalgerongeron. blog spot, com 
singhoffertymisha.blogspot. com 
sinnathuraiperminas. blogspot. com 
skjutare vikram. blogspot. com 
spa ta foraannamay. blogspot. com 
staats-meliaahronahron.blogspot.com 
tagan tagankissane. blogspot. com 
tamietamiedemirkol. blogspot. com 
tamilleca vitt. blogspot. com 
tommiekerstetter. blogspot. com 
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tosunsangbum. blogspot. com 
treechadacoppage. blogspot. com 
treziajoanjoan.blogspot. com 
triadorlacha una. blogspot. com 
tukellyaburrage. blogspot. com 
tyrisao verly. blogspot. com 
ulrikaraithatha. blogspot. com 


valericlarissa. blog spot, com 

ventronejokerjoker. blog spot, com 

victorinomeharmehar. blog spot, com 

vikvikruaut. blog spot, com 

vlrajanrajan.blogspot. com 

wasonmarilynn.blogspot. com 

we ride wendeschyma. blog spot, com 

whitwhitmontoure.blogspot. com 

wynnhannan.blogspot.com 

xochitlvillen urve. blog spot, com 

yaoskalongthorne. blog spot, com 

youyoustreit. blog spot, com 

zickkirrakirra.blogspot. com 

The Blog spot accounts redirect to the following 
compromised Koobface and sea re ware serving domains: 

cartujo.org /private-clips/main.php?87bb8f2 

cerclewalloncouillet.be /main.movie/main.php?28d 

cseajudiciary.org /animateddvd/main.php?c8 

de-nachtegaele.be /main/main.php?b04ebb 

ediltermo.com /common, film/main.php?deccfd 



forward march ministries, org /candid 
_ mo vie/main.php ?42dl 

high way77truckservice.com /pretty-ciip/main.php? 
7bb2 

1247 

K 

kcresaie.com /crazyvids/main.php ?2ee 

iibermann.phpnet.org/comicperformans/main.php? 

9b5a5a 

lode-willems.be /cute _clip/main.php?be2 

lunaairforlife.com /crucial-clips/main.php?d3d6ccfe 

mainteck-fr. com /compiete-movie/main.php?f6 

nottinghamdo wns. com /criminaltube/main.php ? 
2388d 

programs.ppbsa.org /crazy _ video/main.php?0eal969 

richmondpowerboat.com /yourtv/main.php?89fb0 

scheron.com /delightful demonstration/main.php? 
e2f92 

Training.ppbsa.org /comic _dvd/main.php?f9261f 

vangecars. it /crazy-films/main.php ?827da 

Detection rates for Koobface samples and a sampled 
sea re ware: 


- setup.exe - [7]Trojan.Generic.KD.8890 - Result: 9/40 
(22.50 %) phones back to: 

- proelec-dpt. fr/. 85rfs/?action=ldgen 

&a=-1394498804 &v=108 &c _fb=0 &ie=7.0.5730.13 

- proelec-dpt.fr/.85rfs/?action=fbgen &v=108 
&crc=669 

- proelec-dpt. fr/.85rfs/?getexe=p.exe 

- p.exe - [8]Trojan.Drop.Koobface.J; W32/Koobface.GUB 

- Result: 5/41 (12.2 %) 

- koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 

The scareware serving domain embedded on all of the 
Koobface-serving compromised hosts is internet- 

scanner.xorg.pl?mid=312 &code=4dbl2f &d=l &s=2 

- 195.5.161.125 - A531252, 5TARNET-A5 StarNet Moldova. 

Parked on 195.5.161.125 is the rest of the scareware 
domains portfolio: 

antispy-detectnl.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 
antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
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antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 
antispy-scan9i.com - Email: test@now.net.cn 
antispyware-nol.com - Email: test@now.net.cn 
antispyware-no3.com - Email: test@now.net.cn 
antivirla.com.xorg.pl 

antivirus-detect21.com - Email: test@now.net.cn 
antivirus-detect23.com - Email: test@now.net.cn 
antivirus-detect25.com - Email: test@now.net.cn 



antivirus-detect27.com - Email: test@now.net.cn 
antivirus-detect29.com - Email: test@now.net.cn 
antivirus-detectzl.com - Email: test@now.net.cn 
antivirus-detectz2.com - Email: test@now.net.cn 
antivirus-detectz5.com - Email: test@now.net.cn 
antivirus-detectz7.com - Email: test@now.net.cn 
antivirus-detectz9.com - Email: test@now.net.cn 
antivirus-lvl.com - Email: test@now.net.cn 
antivirus-lv2.com - Email: test@now.net.cn 
antivirus-lv3.com - Email: test@now.net.cn 
antivirus-lv5.com - Email: test@now.net.cn 
antivirus-lv8.com - Email: test@now.net.cn 
antivirus-topl.com - Email: test@now.net.cn 
antivirus-top2.com - Email: test@now.net.cn 
antivirus-top6.com - Email: test@now.net.cn 
antivirus-top8.com - Email: test@now.net.cn 
be-secured. xorg.pl 
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bestantivirusl. com.xorg.pl 


bestscan malware, com.xorg.pl 

best-security.xorg.pl 

defender20.xorg.pl 

fa stan ti virusscannerl 5. com.xorg.pl 

fastmalwarescanl5.com.xorg.pl 

fast-scan.xorg.pl 

fastweb-scanner. com.xorg.pl 

get-protection.xorg.pl 

my-computers. xorg.pl 

protection! 00.xorg.pl 

protection-centerl.xorg.pl 

protectorl 0. xorg.pl 

securelO.xorg.pl 
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securityl .xorg.pl 

securityl 00.xorg.pl 

spy-defenderl. com 

spydefenderl. com.xorg.pl 

spydefenderl 1. com.xorg.pl 

spy-defenderla.com - Email: test@now.net.cn 



spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 
spy-defender9.com - Email: test@now.net.cn 
spy-protection01.com - Email: test@now.net.cn 
spy-protectionl.com - Email: test@now.net.cn 
spy-protectionl4.com - Email: test@now.net.cn 
spy-protectionl7.com - Email: test@now.net.cn 
spy-protectionl9.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 
spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 
spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 
spyware-sweepl.com - Email: test@now.net.cn 



spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweep2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 
spyware-sweep7.com - Email: test@now.net.cn 
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spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweep9i.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 
virus-sweeper2.com - Email: test@now.net.cn 
virus-sweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 
virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-sweeper8.com - Email: test@now.net.cn 


virus-sweeper8i.com - Email: test@now.net.cn 

win-antispywarelO. com.xorg.pl 

windefenderl .xorg.pl 

windo ws-secure.xorg.pl 

win-security.xorg.pl 

win webscannerl 0. com.xorg.pl 

Parked within AS31252, STARNET-AS StarNet Moldova are 
also: 195.5.161.11; 195.5.161.145 

spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 

spy-scanner60.com - Email: test@now.net.cn 

spy-scanner80.com - Email: test@now.net.cn 

virscanner-done4.com - Email: test@now.net.cn 

virscanner-done5.com - Email: test@now.net.cn 

- Detection rate for the scareware sample: Setup 

_312s2. exe - [10] Heuristic. Be ha vesLike. Win32. Trojan. H 

- Result: 5/40 (12.50 %) phones back to windows- 
mode.com/?b=lsl - 89.248.168.21 , AS29073, ECATEL-AS 
, Ecatel Network - Email: contact@privacy-protect.cn 
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Parked on the phone-back IP are also the following domains: 

firewall-rules2.com - Email: contact@privacy-protect.cn 

version-upgrade.com - Email: contact@privacy-protect.cn 

2accommodation.com - Email: ttvmaill2@hotmail.com 

systemreserves.com - Email: contact@privacy-protect.cn 

cariport.com - Email: contact@privacy-protect.cn 

spybiocktest.com - Email: contact@privacy-protect.cn 

antispywareiist.com - Email: contact@privacy-protect.cn 

checkwhiteiist.com - Email: contact@privacy-protect.cn 

chekmalwarelist.com - Email: contact@privacy-protect.cn 

Stay tuned for more updates on recent Koobface gang 
activities, beyond the Koobface botnet. 

Related Koobface gang/botnet research: 

[HJKoobface Redirectors and Sea reware Campaigns Now 
Hosted in Moldova 

[12J10 things you didn't know about the Koobface gang 

[13] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[14] How the Koobface Gang Monetizes Mac OS X Traffic 


[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface-Friendly Riccom LTD - A529550 - (Finally) 
Taken Offline 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model - Part One 

[21 ]Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a Trend Micro Report 

[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 
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[28] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. h tto://twitter, com /Re a /_ Koobfa ce 



2. htto://bloas.zdnet. com/securit v/? o=5452 


3. http://www. aooale. com/safebrowsina/diaanostic? 
site=xor a.pl/ 

4. htto.V/ddanchev.blo as oot.com/2010/03/koobface- 
redirectors-and-scareware.html 

5. htto.V/ddanchev.blo as oot. com/2009/11/koobface-botnets- 
scare ware-business, html 

6. httoV/ddanchev.blo as oot.com/2009/12/koobface-aan a- 
wishes-industrv-ha oo v. h tml 

7 . 

htto://www. virustotal. com/analisis/69b 78dd99321acbl dec2 

5cad3da9e9a545cb 7554195081 e33ca99c23a24bl 0e3- 

12722 

94422 

8 . 

htto://www. virustotal. com/analisis/ad41ffce9c9c9f70b9a69c 

5cbaac2d334b42cfb03022e59d652c493bblf3508e-12722 

94936 

9. 

htto://www. virustotal. com/analisis/30f5371a67cb6001 f8bb5 

dc2076bfbl 7c24c675599e99d32adc049610bc6620b-12722 

95423 


10 . 































httos://www. virustotal. com/analisis/811 Ob 790ea6600f8b 712 

cc68bl95302c450a3993df84f7163dbb7938d22e55d0-127 

2294429 

11. htto://ddanche v. b lo g s oot, com/2010/03/koobface- 
redirectors-and-scareware.html 

12. httD://bloas.zdnet.com/securit v/? D=5452 

13. htto.V/ddanche v. b lo g s oot, com/2010/02/diverse-oortfolio- 
of-scarewareblackhat.html 

14. htto.V/ddanchev.blo as oot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.html 

15. htto.V/ddanchev. blo as oot. com/2009/12/koobface-aan a- 
wishes-industrv-ha oD v.html 

16. htto.V/ddanchev. blo as oot. com/2009/12/koobface- 
friendlv-riccom-ltd-as29550.html 

17. htto.V/ddanchev. blo as oot. com/2009/11/koobface-botnet- 
starts-servina-client. html 

18. htto.V/ddanchev. blo as oot. com/2009/11/massive- 
scareware-servino-blackhat-seo.html 

19. htto.V/ddanchev. blo as oot. com/2009/11/koobface- 
botnets-scareware-business.html 

20. htto.V/ddanchev. blo as oot. com/2009/09/koobface- 
botnets-scare ware-business, html 

21. htto.V/ddanchev. blo as oot. com/2009/10/koobface-botnet- 
redirects-facebooks-io. html 


22. http://bloas.zdnet.com/securit v/? o=4594 
















































23. http://content.zdnet.com/2346-12691_22-352597.html 


24. htto.V/ddanchev. blo as oot. com/2009/1O/koobface-botnet- 
dissected-in-trendmicro. html 

25. htto.V/ddanchev.blo as oot.com/2009/08/movement-on- 
koobface-front-oart-two. html 

26. htto.V/ddanchev.blo as oot.com/2009/08/movement-on- 
koobface-front. html 

27. htto.V/ddanchev. blo as oot. com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 

28. htto.V/ddanchev. blo as oot. com/2009/07/dissectin a- 
koobface-worms-twitter. html 

29. htto.V/ddanchev. blo as oot. com/ 

30. htto://twitter, com/danchodanchev 
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GoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware (2010-04-27 21:22) 

UPDATED: Thursday, May 13, 2010: Go Daddy posted 
the following update "[1 ] What's Up with Go Daddy, 
WordPress, PHP Exploits and Malware? ". 

UPDATED: Thursday, May 06, 2010: The following is a 
brief update of the campaign's structure, the changed IPs, 
and the newly introduced scareware samples+phone back 
locations over the past few days. 

Sample structure from last week: 























- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, 
OVH Paris 

- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - 
A531103 ’ KEYWEB-A5 Key web AG 

- wwwl.protectsys28-pd.xorg.pl - 94.228.209.182 - 
A547869, NETROUTING-AS Netrouting Data Facilities 
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Detection rate: 

- packupdatebuildl07 2045.exe - 

[2]Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes 

- Result: 23/41 

(56.1 %) Phones back to update2.safelinkhere.net and 
upda tel.sa felinkhere. net. 

Sample structure from this week: 

- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SIA" IZZI 

- www4.suitcase52td.net/?p= - 78.46.218.249 - 
AS24940, HETZNER-AS Fietzner Online AG RZ 

- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - 
AS32181, ASN-CQ-GIGENET CoioQuest/GigeNet ASN 

- wwwl.safeyourpc22-pr.com - 209.212.147.246 - Email: 
gkook@checkjemaii. nl 


Detection rate: 


- packupdate build9 _2045.exe - 

[3]Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 
(21.95 %) 

Sample phones back to: 

- update2.keepinsafety.net /? 
jbjyhxs=kdjfOtXm 1\J2a 0Nei2Mrh24 U %3D 

- www5.my-security-engine.net 


report, land-protection, com 
/Reports/SoftServiceReport.php ?verin t 


91.207.192.24 


Email: 

gkook@checkjemaU. nl 

- secure2.securexzone.net/?abbr=MSE &pid=3 - 

78.159.108.170 - Emaikl: gkook@checkjemail.nl 

- 173.232.149.92 /chrome/report.html?uid=2045 
&wv=wvXP & 

- 74.118.193.47 /report.htmi?wv=wvXP &uid=50 
&lng= 


- 74.125.45.100 



- updatel.keepinsafety.net - 94.228.209.223 - Email: 
gkook@checkjemail. nl 

Related scareware domains part of the ongoing campaign 
are also parked on the following IPs: 

78.46.218.249 

www3. workfree20-td.xorg.pl 
www3. nojimba52-td.xorg.pl 
www3. workfree25-td.xorg.pl 
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209.212.147.244 

wwwl.newsys-scanner.com - Email: 
gkook@checkjemail. nl 

www2.securesys-scan2.net - Email: 
gkook@checkjemaU. nl 

wwwl.new-sys-scanner3.net - Email: 
gkook@checkjemaU. nl 

wwwl.safetypcwork5.net - Email: gkook@checkjemail.nl 

wwwl.securesyscare9.net - Email: 
gkook@checkjemaU. nl 

wwwl.freeguard35-pr.net - Email: gkook@checkjemail.nl 
95.169.186.25 

www4.ararat23.xorg.pl 


www3.sdfhj40-td.xorg.pl 
www3. nojimba45-td.xorg.pl 
www3. workfree36-td.xorg.pl 
www3.nojimba46-td.xorg.pl 
www4. fiting58td.xorg.pl 
www4.birbinsof.net 
94.228.209.182 

wwwl.protectsys25-pd.xorg.pl 

wwwl.protectsys26-pd.xorg.pl 

wwwl.protectsys27-pd.xorg.pl 

wwwl.protectsys28-pd.xorg.pl 

wwwl.protectsys29-pd.xorg.pl 

wwwl. soptvirus32-pr.xorg.pl 

wwwl. soptvirus34-pr.xorg.pl 
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209.212.147.246 

www2.securesys-scan2.com - Email: 
gkook@checkjemail. nl 

wwwl.newsys-scannerl.com - Email: 
gkook@checkjemaii. nl 


UPDATED: Thursday; April 29, 2010: 
kdjkfjskdfjlskdjf.com/js.php remains active and is 
currently redirecting to www3. workfree36-td.xorg.pl/? 
p= - 95.169.186.25 and wwwl.protectsys28- 

pd.xorg.pl?p= - 94.228.209.182. 

Detection 

rate: 

packupdate 
build 107 
2045.exe 


[4] Suspicious: W32/Maiware!Gemini; 

Tro¬ 
jan. Win32. Generic.pak! cobra - Result: 6/41 (14.64 %) 
phoning back to new domains: 

safelinkhere.net - 94.228.209.223 - Email: 
gkook@checkjemaii. nl 

update2.safelinkhere.net - 93.186.124.93 - Email: 
gkook@checkjemail. nl 

updatel.safelinkhere.net - 94.228.209.222 - Email: 
gkook@checkjemaii. nl 


- nsl.safeiinkhere.net - 74.118.192.23 - Email: 
gkook@checkjemail. nl 



- ns2.safelinkhere.net - 93.174.92.225 - Email: 
gkook@checkjemail. nl 

The gkook@checkjemail.nl email was used for sea reware 
registrations in December 2009' s "[5]A Diverse Portfolio 
of Fake Security Software - Part Twenty Four". 
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Parked on 74.118.192.23,, [6JAS46664 # VoiumeDrive 

(nsl.safelinkhere.net) are also: 

nsl. birbins-of. com 
nsl. clean up an ti virus, com 
nsl. ere a tepc-pcscan-korn .net 
nsl. fhio22nd.net 
nsl.letme-guardyourzone.com 
nsl. letprotectsystem. net 
nsl. my-softprotect4.net 
nsl .new-pc-protection. com 
nsl .payment-safety, net 
nsl. romsinkord. com 
nsl.safelinkhere. net 
nsl.safetyearth.net 
nsl.safety payments, net 
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nsl.sa ve-secure. com 
nsl.search4 vir. net 
nsl.systemmdefender. com 
nsl. upscanyourpc-now. com 

Parked on 93.174.92.225, [7JAS29073, ECATEL-AS, Ecatel 
Network (ns2.safelinkhere.net) are also: 

marmarams. com 

ns2. clean up an ti virus, com 

ns2.dodtorsans.net 

ns2. fastsearch-protection. com 

ns2.go-searchandscan.net 

ns2.guardsystem-scanner.net 

ns2.hot-cleanofyourpc.com 

ns2.marfilks.net 

ns2. my-systemprotection. net 

ns2. myprotected-system. com 

ns2.myprotection-zone.net 

ns2. mysystemprotection. com 

ns2.new-systemprotection. com 



ns2.newsystem-guard. com 
ns2.onguard-zone.net 
ns2.pcregrtuy. net 
ns2.plotguardto-mypc. com 
ns2.protected-field. com 
ns2.safelinkhere.net 
ns2.scanmypc-on line. com 
ns2.search-systemprotect.net 
ns2.searchscan-oniine.net 
ns2.securemyzone. com 
ns2.systemcec7.com 
ns2. trust-systemprotect. net 
ns2. trustscan-onmyzone. com 
ns2. trustsystemguard. net 
ns2. upscanyour-pcnow. com 
ns2. windows-systemshieid.net 
ns2. windows-virusscan.com 
ns2. windo wsadditionalguard. net 
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Following last week's Network Solutions mass compromise 
of Word Press blogs ([8]Dissecting the Word Press Blogs 
Compromise at Network Solutions), over the weekend 
similar incident took place GoDaddy, [9]according to 
WPSecurityLock. 

Since the campaign's URLs still active, and given the fact 
that based on historical OSINT, we can get even 

more insights into known operations of cybercriminals 
profiled before ( one of the key domains used in the 
campaign 

is registered to hiiarykneber@yahoo.com. Yes, that 
Hilary Kneber.), it's time to connect the dots. 

• Related Hilary Kneber posts: [lOJThe Kneber botnet - 
FAQ; [IlfCelebrity-Themed Scareware Campaign 
Abusing DocStoc; [12]Dissecting an Ongoing Money 
Mule Recruitment Campaign; [13]Keeping Money 
Mule Recruiters on a Short Leash - Part Four 

One of the domains used cechirecom.com/js.php - 
61.4.82.212 - Email: lee _gerstein@yahoo.co.uk was 
redirecting to www3.sdfhj40-td.xorg.pi?p= - 
95.169.186.25 and from there to 

www2.burnvirusnow34.xorg.pi?p= - 217.23.5.51. 
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The front page of the currently not responding 
cechirecom.com was returning the following message: 

• " Welcome. Site will be open shortly. Signup, question or 
abuse please send to larisadolina@yahoo.com" 


Registered with the same email, iarisadoiina@yahoo.com, is 
also another domain known have been used in similar 

attacks from February, 2010 - iss9w8s89xx.org. 

Parked on 217.23.5.51 are related sea re ware domains part 
of the campaign: 

www2. burn virusnow31.xorg.pl 

www2. burn virusnow33.xorg.pl 

www2. burn virusnow34.xorg.pl 

www2.trueguardscaner30-p.xorg.pl 

www2.trueguardscaner33-p.xorg.pl 

wwwl. sa vesysops30p.xorg.pl 

wwwl.suaguardprotectllp.xorg.pl 

www2. realsafepc32p.xorg.pl 

wwwl.suaguardprotectl3p.xorg.pl 

wwwl.suaguardprotectl4p.xorg.pl 

Detection rate for the scareware: 

- packupdate_buildl07_2045.exe - [14]VirusDoctor; 
Mal/FakeAV-BW - Result: 14/41 ( 34.15 %) with the sample 
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phoning back to the following URLs: 


- update2.savecompnow.com/index.php? 
controller=hash - 91.207.192.25 - Email: 
gkook@checkjemail. ni 

- update 2. sa vecompno w. com/index.php ? 
con troller=microinstaller 

- updatel. sa vecompno w. com/index.php ? 
controller=microinstaller - 94.228.209.223 - Email: 
gkook@checkjemail.nl The same email was originally seen 
in December 2009's "[15] A Diverse Portfolio of Fake 
Security Software - 

Part Twenty Four". Parked on these IPs are also related 
phone back locations: 

Parked on 188.124.7.156: 

savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 

updatel.securepro.xorg.pl 

Parked on 91.207.192.25: 

update2.savecompnow.com - Email: 
gkook@checkjemaU. nl 

update2.xorg.pl 

update2.winsystemupdates.com - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - Email: gkook@checkjemail.nl 
Parked on 94.228.209.223: 



updatel.savecompnow.com - Email: 
gkook@checkjemail. nl 

updatel. winsystemupdates.com 
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Although the cechirecom.com/js.php is not currently 
responding, parked on the same IP 61.4.82.212, is another 
currently active domain, which is registered to 

hiiarykneber@yahoo. com. 

Parked on 61.4.82.212, A517964, DXTNET Beijing Dian-Xin- 
Tong Network Technologies Co., Ltd.: 

kdjkfjskdfjiskdjf.com - Email: hilarykneber@yahoo.com 

nsl.stablednsstuff.com - Email: lee 
_gerstein@yahoo. co. uk 

js.ribblestone.com - Email: skeletor71@comcast.net - 
includes a link pointing to panelscansecurity.org/? 
affid=320 

&subid=landing - 91.212.127.19 - Email: 
bobarter@xhotmail. net 

The currently active campaign domain redirection is as 
follows: 

kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: 
hilarykneber@yahoo. com 

- www3.sdfhj40-td.xorg.pl?p= 

- wwwl.soptvirus42-pr.xorg.pl?p= -209.212.149.19 


Parked on 209.212.149.19: 


www2. burn virusnow43.xorg.pl 
www2.trueguardscaner42-p.xorg.pl 
wwwl.suaguardprotect23p.xorg.pl 
www2. realsafepc27p.xorg.pl 
wwwl. fastful I find2 7p.xorg.pl 
wwwl.yesitssafe-no w-forsure.in 
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Detection rate for the scareware: 

- packupdate build 106_2045.exe - 

[16 JTrojanDo wnloader: Win32/Fake Vimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 

Just like in Network Solution's case ([ 17]Dissecting the 
WordPress Blogs Compromise at Network Solutions) 

the end user always has to be protected from himself using 
basic security auditing practices in regard to default 
WordPress installations. The rest is wishful thinking, that the 
end user would self-audit himself. 

It seems that hilarykneber@yahoo.com related activities 
are not going to go away anytime soon. 

Related WordPress security resources: 

[18] 20 Wordpress Security Plug-ins And Tips To keep 
Hackers Away 

[19] 11 Best Ways to Improve WordPress Security 



[20J20+ Powerful Word press Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 

1. htto://communit v. aodaddvcom/aodaddv/whats-uo-with- 
ao-daddv-wordoress- oh o-exoloits-and-malware/ 

2 . 

https://www. virustotai. com/anaiisis/38c96fc7f402772beed9c 

83512da6189cb9b92f7f36fc8a5c8b 70f2a6fc4faab-12730 

70694 

3. 

htto://www. virustotai. com/analisis/d0bba30e43ddc5db394fd 

0c03314d2d2c2 743f7f611 C08f0ael5a8d588ffd990-12 731 

50790 

4. 

htto://www. virustotai. com/anaiisis/ad643ead6b46c70dba4 7 

41dd543342eab49d2d7dS2637f32723c0034366b44b3- 

12725 

44449 

5. htto.V/ddanchev.bio as oot. com/2009/12/diverse-oortfolio- 
of-fake-securitv html 

6. htto://ddanchev.bio as oot.com/2010/04/dns- 
infrastructure-of-monev-mule.html 

7. htto://ddanchev.bio as oot. com/2010/04/dns- 
i nfrastructure-of-monev-muie.html 




































8. htto.V/ddanchev.blo as oot.com/2010/04/dissectin a- 
wordDress-bloas-comoromise.html 

9. htto.V/www. wpsecuritvlock. com/cechriecom-com-scri ot- 
wordoress-hacked-on-aodaddv-case-stud v/ 

10. htto://bioas.zdnet. com/securit v/? o=5508 

11. htto.V/ddanchev. blo as oot. com/2009/12/celebrit v- 
themed-scareware-campaign 0 7. himl 

12. htto.V/ddanche i/. blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

13. htto.V/ddanchev. blo as oot. com/2010/04/keeoina-mone v- 
mufe-recruiters-on-short.html 

14. 

htto://www. virustotal.com/analisis/dl 0679c06cde2785c4fd8 

841607dd44692b4e2e867c015bfeac29d621a6cebd3-12723 

84002 

15. htto.V/ddanchev. blo as oot. com/2009/12/diverse-oortfolio- 
of-fake-securitv. him l 

16. 

httoV/www. virustotal. com/analisis/efd60f4c444baf2bl 91943 

85c4 77b0533580aa430el adl d664afb3d389cc9116-12723 

85512 

17. htto.V/ddanchev. blo as oot. com/2010/04/dissectin a- 
wordDress-bloas-comoromise.html 

18. htto.V/bloa. taraaana.com/index. oh o/archive/20- 
wordoress-securit v- Dlua-ins-and-tios-to-keeD-hackers-a wa v/ 
























































19. http://www. orobloadesian. com/wordoress/11 -best-wa vs- 
to-imoro ve-word press-securit y/ 


20. htto.V/soeckvbov. com/2009/09/22/20-powerful- 
wordpress-securit v- pluains-and-some-tips-and-tricks/ 

21. http.V/ddanche v. b lo g s pot, com/ 

22. http://twitter, com/danchodanchev 
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GoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware (2010-04-27 21:22) 

UPDATED: Thursday, May 13, 2010: Go Daddy posted 
the following update "[1 ] What's Up with Go Daddy, 
WordPress, PHP Exploits and Malware? ". 

UPDATED: Thursday, May 06, 2010: The following is a 
brief update of the campaign's structure, the changed IPs, 
and the newly introduced scareware samples+phone back 
locations over the past few days. 

Sample structure from last week: 

- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, 
OVH Paris 

- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - 
AS31103, KEYWEB-AS Key web AG 

- wwwl.protectsys28-pd.xorg.pl - 94.228.209.182 - 
AS47869, NETROUTING-AS Netrouting Data Facilities 
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Detection rate: 


- packupdate _buildl07_2045.exe - 

[2] Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes 

- Result: 23/41 

(56.1 %) Phones back to update2.safelinkhere.net and 
upda tel.sa felinkhere. net. 

Sample structure from this week: 

- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SIA " IZZI 

- www4.suitcase52td.net/?p= - 78.46.218.249 - 
AS24940, HETZNER-AS Hetzner Online AG RZ 

- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - 
AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN 

- wwwl.safeyourpc22-pr.com - 209.212.147.246 - Email: 
gkook@checkjemail. nl 

Detection rate: 

- packupdate _build9 _2045.exe - 

[3] Trojan.Fakealert. 7869; Mal/FakeAV-BW - Result: 9/41 
(21.95 %) 

Sample phones back to: 

- update2.keepinsafety.net /? 

jbjyhxs=kdjfOtXm 1J2a0Nei2Mrh24 U %3D 

- www5.my-security-engine.net 


report, land-protection, com 
/Reports/SoftServiceReport.php ?verin t 


91.207.192.24 


Email: 

gkook@checkjemail. nl 

- secure2.securexzone.net/?abbr=MSE &pid=3 - 

78.159.108.170 - Emaikl: gkook@checkjemail.nl 

- 173.232.149.92 /chrome/report.html?uid=2045 
&wv=wvXP & 

- 74.118.193.47 /report.html?wv=wvXP &uid=50 
&lng= 

- 74.125.45.100 

- updatel.keepinsafety.net - 94.228.209.223 - Email: 
gkook@checkjemail. nl 

Related scareware domains part of the ongoing campaign 
are also parked on the following IPs: 

78.46.218.249 

www3. workfree20-td.xorg.pl 
www3. nojimba52-td.xorg.pl 



www3. workfree25-td.xorg.pl 
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209.212.147.244 

wwwl.newsys-scanner.com - Email: 
gkook@checkjemail. nl 

www2.securesys-scan2.net - Email: 
gkook@checkjemail. nl 

wwwl.new-sys-scanner3.net - Email: 
gkook@checkjemail. nl 

wwwl.safetypcwork5.net - Email: gkook@checkjemail.nl 

wwwl.securesyscare9.net - Email: 
gkook@checkjemail. nl 

wwwl.freeguard35-pr.net - Email: gkook@checkjemail.nl 
95.169.186.25 

www4.ararat23.xorg.pl 
www3.sdfhj40-td.xorg.pl 
www3. nojimba45-td.xorg.pl 
www3. workfree36-td.xorg.pl 
www3. nojimba46-td.xorg.pl 
www4. fiting58td.xorg.pl 


www4.birbinsof.net 


94.228.209.182 


wwwl.protectsys25-pd.xorg.pl 
wwwl.protectsys26-pd.xorg.pl 
wwwl.protectsys27-pd.xorg.pl 
wwwl.protectsys28-pd.xorg.pl 
wwwl.protectsys29-pd.xorg.pl 
wwwl. soptvirus32-pr.xorg.pl 
wwwl.soptvirus34-pr.xorg.pl 
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209.212.147.246 

www2.securesys-scan2.com - Email: 
gkook@checkjemaii. ni 

wwwl.newsys-scannerl.com - Email: 
gkook@checkjemaii. nl 

UPDATED: Thursday; April 29, 2010: 
kdjkfjskdfjlskdjf.com/js.php remains active and is 
currently redirecting to www3. workfree36-td.xorg.pl/? 
p= - 95.169.186.25 and wwwl.protectsys28- 

pd.xorg.pl?p= - 94.228.209.182. 

Detection 

rate: 

packupdate 


build 107 


2045.exe 


[4] Suspicious: W32/Maiware!Gemini; 

Tro¬ 
jan.Win32.Generic.pakicobra - Result: 6/41 (14.64 %) 
phoning back to new domains: 

safelinkhere.net - 94.228.209.223 - Email: 
gkook@checkjemail. nl 

update2.safelinkhere.net - 93.186.124.93 - Email: 
gkook@checkjemail. nl 

updatel.safelinkhere.net - 94.228.209.222 - Email: 
gkook@checkjemaU. nl 

- nsl.safelinkhere.net - 74.118.192.23 - Email: 
gkook@checkjemail. nl 

- ns2.safelinkhere.net - 93.174.92.225 - Email: 
gkook@checkjemail. nl 

The gkook@checkjemail.nl email was used for sea reware 
registrations in December 2009's "[5] A Diverse Portfolio 
of Fake Security Software - Part Twenty Four". 
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Parked on 74.118.192.23 , [6JAS46664, VolumeDrive 

(nsl.safelinkhere.net) are also: 


nsl. birbins-of. com 


nsl. clean up an ti virus, com 
nsl. ere a tepc-pcscan-korn .net 
nsl. fhio22nd.net 
nsl.letme-guardyourzone.com 
nsl.letprotectsystem. net 
nsl. my-softprotect4.net 
nsl .new-pc-protection. com 
nsl .payment-safety, net 
nsl. romsinkord. com 
nsl.safelinkhere. net 
nsl.safetyearth.net 
nsl.safety payments, net 
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nsl.sa ve-secure. com 
nsl.search4 vir. net 
nsl.systemmdefender. com 
nsl. upscanyourpc-now. com 

Parked on 93.174.92.225, [7JAS29073, ECATEL-AS, Ecatel 
Network (ns2.safelinkhere.net) are also: 



marmarams. com 


ns2. clean up an ti virus, com 

ns2.dodtorsans.net 

ns2. fastsearch-protection. com 

ns2.go-searchandscan.net 

ns2.guardsystem-scanner.net 

ns2.hot-cleanofyourpc.com 

ns2.marfilks.net 

ns2. my-systemprotection. net 

ns2. myprotected-system.com 

ns2.myprotection-zone.net 

ns2. mysystemprotection. com 

ns2.new-systemprotection. com 

ns2.newsystem-guard. com 

ns2.onguard-zone.net 

ns2.pcregrtuy. net 

ns2.plotguardto-mypc. com 

ns2.protected-field. com 

ns2.safelinkhere.net 

ns2.scanmypc-online. com 



ns2.search-systemprotect.net 
ns2.searchscan-online.net 
ns2.securemyzone. com 
ns2.systemcec7.com 
ns2. trust-systemprotect. net 
ns2. trustscan-onmyzone. com 
ns2. trustsystemguard. net 
ns2. upscanyour-pcnow. com 
ns2. windows-systemshieid.net 
ns2. windows-virusscan.com 
ns2. windo wsadditionalguard. net 
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Following last week's Network Solutions mass compromise 
of Word Press blogs ([8]Dissecting the Word Press Blogs 
Compromise at Network Solutions), over the weekend 
similar incident took place GoDaddy, [9]according to 
WPSecurityLock. 

Since the campaign's URLs still active, and given the fact 
that based on historical OSINT, we can get even 

more insights into known operations of cybercriminals 
profiled before (one of the key domains used in the 
campaign 


is registered to hilarykneber@yahoo.com. Yes, that 
Hilary Kneber.), it's time to connect the dots. 

• Related Hilary Kneber posts: [10]The Kneber botnet - 
FAQ; [11 JCelebrity-Themed Scareware Campaign 
Abusing DocStoc; [12]Dissecting an Ongoing Money 
Mule Recruitment Campaign; [13]Keeping Money 
Mule Recruiters on a Short Leash - Part Four 

One of the domains used cechirecom.com/js.php - 
61.4.82.212 - Email: lee _gerstein@yahoo.co.uk was 
redirecting to www3.sdfhj40-td.xorg.pi?p= - 
95.169.186.25 and from there to 

www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. 
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The front page of the currently not responding 
cechirecom.com was returning the following message: 

• " Welcome. Site will be open shortly. Signup, question or 
abuse please send to larisadolina@yahoo.com" 

Registered with the same email, larisadolina@yahoo.com, is 
also another domain known have been used in similar 

attacks from February, 2010 - iss9w8s89xx.org. 

Parked on 217.23.5.51 are related scareware domains part 
of the campaign: 

www2. burn virusnow31.xorg.pl 
www2. burn virusnow33.xorg.pl 
www2. burn virusnow34.xorg.pl 


www2.trueguardscaner30-p.xorg.pl 

www2.trueguardscaner33-p.xorg.pl 

wwwl. sa vesysops30p.xorg.pl 

wwwl.suaguardprotectllp.xorg.pl 

www2. realsafepc32p.xorg.pl 

wwwl.suaguardprotectl3p.xorg.pl 

wwwl.suaguardprotectl4p.xorg.pl 

Detection rate for the scareware: 

- packupdate_buildl07_2045.exe - [14]VirusDoctor; 
Mai/FakeAV-BW - Result: 14/41 (34.15 %) with the sample 
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phoning back to the following URLs: 

- update2.savecompnow.com/index.php? 
controller=hash - 91.207.192.25 - Email: 
gkook@checkjemaii. nl 

- update2. sa vecompno w. com/index.php ? 
con troller=microinstaller 

- updatel. sa vecompno w. com/index.php ? 
controller=microinstaller - 94.228.209.223 - Email: 
gkook@checkjemail.nl The same email was originally seen 
in December 2009's "[15] A Diverse Portfolio of Fake 
Security Software - 


Part Twenty Four". Parked on these IPs are also related 
phone back locations: 

Parked on 188.124.7.156: 

savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 

updatel.securepro.xorg.pl 

Parked on 91.207.192.25: 

update2.savecompnow.com - Email: 
gkook@checkjemail. nl 

update2.xorg.pl 

update2.winsystemupdates.com - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - Email: gkook@checkjemail.nl 

Parked on 94.228.209.223: 

updatel.savecompnow.com - Email: 
gkook@checkjemaU. nl 

updatel. winsystemupdates.com 
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Although the cechirecom.com/js.php is not currently 
responding, parked on the same IP 61.4.82.212, is another 
currently active domain, which is registered to 

hilarykneber@yahoo. com. 


Parked on 61.4.82.212, A517964, DXTNET Beijing Dian-Xin- 
Tong Network Technologies Co., Ltd.: 

kdjkfjskdfjlskdjf.com - Email: hiiarykneber@yahoo.com 

nsl.stablednsstuff.com - Email: lee 
_gerstein@yahoo. co. uk 

js.ribblestone.com - Email: skeietor71@comcast.net - 
includes a link pointing to panelscansecurity.org/? 
affid=320 

&subid=landing - 91.212.127.19 - Email: 
bobarter@xhotmail. net 

The currently active campaign domain redirection is as 
follows: 

kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: 
hilarykneber@yahoo. com 

- www3.sdfhj40-td.xorg.pi?p= 

- wwwl.soptvirus42-pr.xorg.pl?p= -209.212.149.19 
Parked on 209.212.149.19: 

www2. burn virusnow43.xorg.pl 
www2.trueguardscaner42-p.xorg.pl 
wwwl.suaguardprotect23p.xorg.pl 
www2. realsafepc27p.xorg.pl 
wwwl. fastful I find2 7p.xorg.pl 
wwwl.yesitssafe-no w-forsure.in 
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Detection rate for the scareware: 

- packupdate _buildl06_2045.exe - 

[16 JTrojanDo wnloader: Win32/Fake Vimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 

Just like in Network Solution's case ([17]Dissecting the 
WordPress Blogs Compromise at Network Solutions) 

the end user always has to be protected from himself using 
basic security auditing practices in regard to default 
WordPress installations. The rest is wishful thinking, that the 
end user would self-audit himself. 

It seems that hilarykneber@yahoo.com related activities 
are not going to go away anytime soon. 

Related WordPress security resources: 

[18] 20 Wordpress Security Plug-ins And Tips To keep 
Hackers Away 

[19] 11 Best Ways to Improve WordPress Security 

[20] 20+ Powerful Wordpress Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22]on Twitter. 

1. http://communit y aodaddv. com/aodaddy/whats-uo-with- 
ao-daddy-wordDress- Dh p-exoloits-and-malware/ 

2 . 

https://www. virustotal. com/anaiisis/38c96fc7f402772beed9c 

83512d a 6189cb9b92f7f36fc8a5c8b 7 Of2 a 6fc4faab-12730 
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3. 

http://www. virustotal. com/analisis/d0bba30e43ddc5db394fd 

0c03314d2d2c2743f7f611 cOSfOael 5a8d588ffd990-l2731 

50790 

4. 

htto://www. virustotal. com/analisis/ad643ead6b46c70dba4 7 

41dd548842eab49d2d7d52637f32723c0084366b44b3- 

12725 

44449 

5. htto://ddanchev.blo as oot. com/2009/12/diverse-Dortfolio- 
of-fake-securitv. html 

6. http.V/ddanchev.blo as oot.com/2010/04/dns- 
snfrastructure-of-monev-mule.html 

7. http.V/ddanchev.blo as oot. com/2010/04/dns- 
i nfrastructure-of-monev-mule.html 

8. http.V/ddanchev.blo as oot. com/2010/04/dissectin a- 
wordoress-bloas-comoromise.html 

9. htto://www. wosecuritvlock. com/cechriecom-com-scri ot- 
wordoress-hacked-on-aodaddv-case-stud v/ 

10. htto://bloas.zdnet.com/securit v/? o=5508 

11. htto://ddanchev. blo as oot. com/2009/12/celebrit v- 
themed-scare ware-campaign 07.html 











































12. htto.V/ddanchev. blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

13. htto.V/ddanchev. blo as oot. com/2010/04/keeoina-mone v- 
m ule - recruiters-on -short. h tml 

14. 

htto.V/www. virustotal.com/analisis/dl 0679c06cde2785c4fd8 

841607dd44692b4e2e867c015bfeac29d621a6cebd3-12723 

84002 

15. http.V/ddanchev. blo as oot. com/2009/12/diverse-oortfolio- 
of-fake-sec unity html 

16. 

htto.V/www. virustotal. com/analisis/efd60f4c444baf2bl 91943 

85 c4 77b0533580aa430el adl d664afb3d389cc9116-12 723 

85512 

17. httoV/ddanchev. blo as oot. com/2010/04/dissectin a- 
wordoress-bloas-comoromise.html 

18. htto.V/bloa. taraaana.com/index. oh o/archive/20- 
wordoress-securit v- Dlua-ins-and-tiDs-to-keeD-hackers-awa v/ 

19. htto.V/www. orobloadesian. com/wordoress/11 -best-wa vs- 
to-imoro ve-word press-securit y/ 

20. httD.V/soeckvbov.com/2009/09/22/20-oowerful- 
wordoress-secunt v- Dluains-and-some-tiDS-and-tricks/ 

21. htto.V/ddanchev. blo as oot. com/ 

22. htto://twitter, com/danchodanche i/ 
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Summarizing Zero Day's Posts for April (2010-04-29 
14:09) 

The following is a brief summary of ail of my posts at 
[ljZDNet's Zero Day for April, 2010. You [2Jean also go 
through 

[3] previous summaries, as well as subscribe to my 

[4] persona IRSS feed, [5]Zero Day's main feed, or follow me 
on Twitter: 

Recommended reading: [6]Attack of the Opt-ln Botnets; 
[7]Hundreds of high profile sites unprotected from domain 
hijacking and [8]Copyright violation alert ransomware in the 
wild 

01. [9]Facebook phishing campaign serving ZeuS 
crimeware 

02. [lOJResearchers expose complex cyber espionage 
network 

03. [lljCopyright violation alert ransomware in the wild 

04. [12]Do teens hack? Survey says 1 in 6 do 

05. [13]Google: Sea re ware accounts for 15 percent of all 
malware 

06. [14]New Mac OS X malware variant spotted 

07. [15]Hundreds of high profile sites unprotected from 
domain hijacking 


08. [16]Report: ZeuS crime ware kit, malicious PDFs drive 
growth of cybercrime 

09. [17]Attack of the Opt-ln Botnets 
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10. [18J1.5 million Face book accounts offered for sale - FAQ 

11. [19]Fiow to remove the iCPP Copyright Violation Alert 
ransomware 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21]on Twitter. 

1. httD://bloas.zdnet. com/securit v 

2. htto://ddanchev.bio as oot. com/2010/04/summarizin a- 
zero-da vs- posts-for-march.html 

3. htto://ddanchev.bio as oot. com/2010/03/summarizin a- 
zero-da vs- Dosts-for.html 

4. htto://upda tes. zdnet. com/taas/dancho+danche v. him I? 
t=0&s=0&o=l&mode=rss 

5. htto://feeds.feedburner. com/zdnet/securit v 

6. httD://bloas.zdnet. com/securit vZ? o=6268 

7. httD://bloas.zdnet. com/securit v7? o=6248 

8. httD://bloas.zdnet. com/securit v/? o=6095 

9. htto://bloas.zdnet. com/securit v/? p=6000 

10. htto://bioas.zdnet. com/securit v/? p=6042 
































11. httD://bloas.zdnet. com/securit v/? D=6095 

12. httD://bloas.zdnet. com/securit v/? o=6148 

13. http://bloas.zdnet. com/securit v/? p=6176 

14. http://bloas.zdnet. com/securit v/? p=6195 

15. http.V/bloas.zdnet. com/securit v/? p=6248 

16. http://bloas.zdnet. com/securit v/? p=625 7 

17. http://bloas.zdnet. com/securit v/? p=6268 

18. http://bloas.zdnet. com/securit v/? p=6304 

19. http://bloas.zdnet. com/securit v/? p=6329 

20. http://ddanche v. b lo g s pot, com/ 

21. http://twitter, com/danchodanchev 
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U.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass WordPress Blogs 
Compromise 
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UPDATED: Saturday, May 08, 2010: 5 new domains 
have been introduced by the same gang, once again parked 
at 217.23.14.14, AS49981, WorldStream. 

jumpsearches.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

ingeniosearch.net - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

searchnations.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

mainssearch.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

bigsearchinc.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

Sample exploitation structure: 

- jumpsearches.com/bing.com /ioad.php?spi=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 

1280 

- jumpsearches.com/bing.com /?spl=2 &br=MSIE 
&vers=7.0 &s= 

- jumpsearches.com/bing.com /load.php?spl=pdf 
2030 

- jumpsearches.com/bing.com /load.php?spl=MS09- 
002 



UPDATED: Thursday, May 06, 2010: The cybercriminals 
behind this ongoing campaign continue introducing 

new domains - all of which are currently in a cover-up 
phrase pointing to 127.0.0.1 - over the past 24 hours. 

What's particularly interesting, is that all of them reside 
within A549981, WorldStream = Transit imports = -CAIW-, 
Netherlands. 

- twcorps.com/tv/ - 21/.23.14.15 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [1JMD5: ebcfaa2f595ccea811/6f6fl25b31ac7 

- jobsatdoor.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [2JMD5: ebcfaa2f595ccea811/6f6fl25b31ac7 

- oficia.com/piain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [3]MD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- organization-b.com/maii/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- diiingdiiing.com/router/ - 217.23.14.14 - Email: 
aiexl978a@bigmir.net, Prokopenko Aleksey 

All the samples phone back to mazcostroi.com/inst.php? 
aid=blackout now responding to 95.143.193.61, AS49//0, 
SERVERCONNECT-AS ServerConnect Sweden AB, from the 
previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also 
actively serving client-side exploits. Sample update 



obtained from the same domain: 

- update4303.exe - [4]Trojan. Win32. VBKrypt - Result: 
5/41 (12.2 %) 

Not surprisingly, A544565 and A549770 where 
mazcostrol.com was hosted, are also the home of 
currently active ZeuS crime ware C &Cs. 

[5JA549770 (SERVERCONNECT-AS ServerConnect Sweden 
AB) 

brunongino. com 
sla venkad. com 
fron dire ass. cn 
pradsuyz.cn 

[6JAS44565 (VITAL VITAL TEKNOLOJI) 

spacebuxer. com 

odboe.info 

212.252.32.69 

jokersimson. net 

whoismak. net 

188.124.7.247 

www.bumagajet.net 


barma tuxa. info 



barmatuxa.net 


UPDATED: A researcher just pinged me with details on 
something that I should be flattered with. Apparently 

grepad.com /in.cgi?4 redirects to 217.23.14.14 /in 
t.php which then [7]redirects to my Blogger profile. 

In fact, 217.23.14.14 the IP of the client-side exploit 
serving domains also redirects there, with the actual 
campaign in a cover-up phrase, with the original domain 
now responding 127.0.0.1. 
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Let's see for how long, until then, [8]The Beatles - You 
Know My Name seems to be the appropriate music 

choice. 

[9]AVG and Panda Labs are reporting that the web sites of 

[lOjthe U.S. Bureau of Engraving and Printing 
(bep.treas.gov; moneyfactory.gov) are serving client- 
side vulnerabilities that ultimately expose the visitor to 
sea re ware ([lljThe Ultimate Guide to Scareware 
Protection). 

What's particularly interesting about this campaign is that, 
it's part of last month's NetworkSoiutions mass 

Word Press blogs compromise, in the sense that not only is 
the iFrame-d domain registered using the same email as the 
client-side exploits serving domains from the 
NetworkSoiutions campaign - aiexl978a@bigmir.net - 
but also, the dropped scareware's phone back location - 
mazcostrol. com/inst.php ?aid=blackout - 


188.124.16.134 - Email: alexl978a@bigmir.net - is identical 
to the one used in the same campaign, including the 
affiliate ID used by the original cybercriminal. 

The client-side exploit serving domain used in the the U.S 
Treasury site compromise, has also been [ 12]re - 

ported by a targe number of NetworkSotutions 
customers in the most recent campaign affecting 
Word Press blogs. 

The exploit-serving structure, including the detection rates 
for the dropped sea re ware and exploits used in the U.S 
Treasury compromise campaign, is as follows: 

- grepad.com /in.cgi?3 -188.124.16.133, AS44565, VITAL 
TEKNOLOJl - Email: alexl978a@bigmir.net 

- thejustb.com /just/ - 217.23.14.14 (dyndon.com), 

AS49981 - Email: alexl978a@bigmir.net 

- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 

- thejustb.com /just/jl 893d.jar 

- thejustb.com /just/j2 079.jar 

- l.pdf - [13]Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44 %) 

- jl _893d.jar - [14]Trojan-Down\oader:Java/Agent.DJDN - 
Result: 5/41 (12.20 %) 

- j2 079.jar - [15]EXP/Java.CVE-2009-3867.C.2; 
Exploit.Java.Agent.a - Result: 9/41 (21.96 %) 



- grepad.exe - [ 16]Trojan. Generic.KD. 10339; a variant of 
Win32/lnjector. BNG - Result: 8/41 (19.51 %) 
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Upon successful exploitation the dropped grepad.exe, 
phones back to to mazcostrol.com/inst.php? 
aid=blackout - 

188.124.16.134, A544565, VITAL TEKNOLOJl - Email: 
alexl978a@bigmir.net, with the same phone back location 
also 

used in the [17]NetworkSoiutions mass compromise 
campaign. 

Known MD5's used by the same campaigner from 
previous campaigns, phoning back to the same 
domain+iden tical 

affiliate ID: 

MD5=4734162bb33eff7af7el 8243821 b397e 

MD5=1 c9cel e5f4c2f3ecl 791554a349bf456 

MD5=dl 1 d76c6ecf6a9a87dcd510294104a 66 

MD5=c33750c553e6d6bdc7dac6886f65b51d 

MD5=74cdadfbl5181a997bl5083f033644d0 

MD5=3c7d8cdc73197eddl 76167cd069878bd 

Attempting to interact with the campaign's directories often 
results in a "nice try, idiot." message. Lovely! 


Related posts: 


[18] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[19] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21]on Twitter. 

1 . 

htto://www. virustotai. com/anaiisis/84d634a8c825c089313fa 

1036cl be3274f54f3c0964f3602de63352c39cab9cl -12731 

23708 

2 . 

httD://www. virustotai. com/analisis/84d634a8c825c089313fa 

1036cl be3274f54f3c0964f3602de63352c39cab9cl-12730 

09615 

3. 

htto://www. virustotai. com/analisis/84d634a8c825c089313fa 

1036cl be3274f54f3c0964f3602de63352c39cab9cl-12730 

09615 

4. 

h tto://www. virustotai. com/analisis/b2842a 1 a395aa627c30b 

b3313d60272558e5a2a0ab553a4fd3bb9ca60f323020- 

12731 














75155 


5. httDs://zeustracker.abuse, ch/monitor. oh o ?as=49770 
1283 

6. https://zeustrackerabuse, ch/monitor. oh o ?as=44565 

7. htto://www. blo a aer. com/orofile/0998973309544 7891258 

8. htto://www. youtube.com/watch?v=9DkaRUto3w8 

9. htto://thomoson.bloa.a va. com/2010/05/treasurv-website- 
hacked.html 

10. htto://oandalabs. oandasecuritv. com/usa-treasur v- 
website-hacked-usina-exoloit-kit/ 

11. htto://bloas.zdnet. com/securit v/? o=4297 

12. htto://bloa.sucuri.net/2010/05/new-infections-todav-at- 
network.html 

13. 

httos://www. virustotal. com/analisis/ed8f5cbe 78fffe7481a 33 

cba8161 c93724c3cf64552a2bl 3 c781901 b23f965fb-l 2 7 

2988856 

14. 

httos://www. virustotal. com/analisis/50de5fc37f46e868cl ef4 

3c2cd2b2b05d5af6390c2f3d6bbcf8dl9145abfdfaf-127 

2988861 


15 . 





































httos://www. virustotal. com/analisis/6bb42ed29360f32a5e44 

404bb97de7efb7069090d835fcab9daffd97ed73bl5c-127 

2988865 

16. 

htto://www. virustotal. com/analisis/84d634a8c825c089313fa 

1036cl be3274f54f3c0964f3602de63352c39cab9cl-12730 

00594 

17. htto.V/ddanche i/. b lo g s oot, com/2010/04/dissectin o- 
wordoress-bloas-comDromise.html 

18. htto.V/ddanchev. blo as oot. com/2010/04/aodaddvs-mass- 
wordoress-bloas. him I 

19. htto.V/ddanchev. blo as oot. com/2010/04/dissectin a- 
wordDress-bloas-comoromise.html 

20. htto.V/ddanchev. blo as oot. com/ 

21. htto://twitter, com/danchodanche i/ 

1284 


£ 


U.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass WordPress Blogs 
Compromise 

(2010-05-04 22:56) 

UPDATED: Saturday, May 08, 2010: 5 new domains 
have been introduced by the same gang, once again parked 
at 217.23.14.14, AS49981, WorldStream. 






























jumpsearches.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

ingeniosearch.net - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

searchnations.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

mainssearch.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

bigsearchinc.com - 217.23.14.14 - Email: 
alexl 978a@bigmir. net 

Sample exploitation structure: 

- jumpsearches.com/bing.com /ioad.php?spi=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 

1285 

- jumpsearches.com/bing.com /?spl=2 &br=MSIE 
&vers=7.0 &s= 

- jumpsearches.com/bing.com /load.php?spl=pdf 
2030 

- jumpsearches.com/bing.com /ioad.php?spi=MS09- 
002 

UPDATED: Thursday, May 06, 2010: The cybercriminals 
behind this ongoing campaign continue introducing 



new domains - all of which are currently in a cover-up 
phrase pointing to 127.0.0.1 - over the past 24 hours. 

What's particularly interesting, is that ail of them reside 
within AS49981, WorldStream = Transit Imports = -CAIW-, 
Netherlands. 

- twcorps.com/tv/ - 21/.23.14.15 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [1JMD5: ebcfaa2f595ccea811/6f6fl25b31ac7 

- jobsatdoor.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [2JMD5: ebcfaa2f595ccea811/6f6fl25b31ac7 

- oficla.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [3]MD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- organization-b.com/maii/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- diiingdiiing.com/router/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

All the samples phone back to mazcostroi.com/inst.php? 
aid=blackout now responding to 95.143.193.61, AS49//0, 
SERVERCONNECT-AS ServerConnect Sweden AB, from the 
previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also 
actively serving client-side exploits. Sample update 
obtained from the same domain: 



- update4303.exe - [4]Trojan. Win32. VBKrypt - Result: 
5/41 (12.2 %) 

Not surprisingly, A544565 and A549770 where 
mazcostroi.com was hosted, are also the home of 
currently active ZeuS crimeware C &Cs. 

[5JA549770 (SERVERCONNECT-AS ServerConnect Sweden 
AB) 

brunongino. com 
sia venkad. com 
fron dire ass. cn 
pradsuyz.cn 

[6JAS44565 (VITAL VITAL TEKNOLOJI) 

spacebuxer. com 
odboe.info 
212.252.32.69 
jokersimson.net 
whoismak. net 
188.124.7.247 
www.bumagajet.net 
barma tuxa. info 


barmatuxa.net 



UPDATED: A researcher just pinged me with details on 
something that I should be flattered with. Apparently 

grepad.com /in.cgi?4 redirects to 217.23.14.14 /in 
t.php which then [7]redirects to my Blogger profile. 

In fact, 217.23.14.14 the IP of the client-side exploit 
serving domains also redirects there, with the actual 
campaign in a cover-up phrase, with the original domain 
now responding 127.0.0.1. 
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Let's see for how long, until then, [8]The Beatles - You 
Know My Name seems to be the appropriate music 

choice. 

[9]AVC and Panda Labs are reporting that the web sites of 

[lOjthe U.S. Bureau of Engraving and Printing 
(bep.treas.gov; moneyfactory.gov) are serving client- 
side vulnerabilities that ultimately expose the visitor to 
sea re ware (flljThe Ultimate Guide to Scareware 
Protection). 

What's particularly interesting about this campaign is that, 
it's part of last month's NetworkSoiutions mass 

Word Press blogs compromise, in the sense that not only is 
the iFrame-d domain registered using the same email as the 
client-side exploits serving domains from the 
NetworkSoiutions campaign - aiexl978a@bigmir.net - 
but also, the dropped scareware's phone back location - 
mazcostrol. com/inst.php ?aid=biackout - 
188.124.16.134 - Email: alexl978a@bigmir.net - is identical 


to the one used in the same campaign, including the 
affiliate ID used by the original cybercriminal. 

The client-side exploit serving domain used in the the U.S 
Treasury site compromise, has also been [12]re¬ 
ported by a large number of NetworkSolutions 
customers in the most recent campaign affecting 
Word Press blogs. 

The exploit-serving structure, including the detection rates 
for the dropped sea re ware and exploits used in the U.S 
Treasury compromise campaign, is as follows: 

- grepad.com /in. cgi?3 -188.124.16.133, AS44565, VITAL 
TEKNOLOJl - Email: alexl978a@bigmir.net 

- thejustb.com /just/ - 217.23.14.14 (dyndon.com), 

AS49981 - Email: alexl978a@bigmir.net 

- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 

- thejustb.com /just/jl 893d.jar 

- thejustb.com /just/j2 079.jar 

- l.pdf - [13[Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44 %) 

- jl _893d.jar - [14]Trojan-Down\oader:Java/Agent.DJDN - 
Result: 5/41 (12.20 %) 

- j2 079.jar - [15]EXP/Java.CVE-2009-3867.C.2; 
Exploit.Java.Agent.a - Result: 9/41 (21.96 %) 



- grepad.exe - [ 16]Trojan. Generic.KD. 10339; a variant of 
Win32/lnjector. BNG - Result: 8/41 (19.51 %) 
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Upon successful exploitation the dropped grepad.exe, 
phones back to to mazcostrol.com/inst.php? 
aid=blackout - 

188.124.16.134, A544565, VITAL TEKNOLOJl - Email: 
alexl978a@bigmir.net, with the same phone back location 
also 

used in the [17]NetworkSoiutions mass compromise 
campaign. 

Known MD5's used by the same campaigner from 
previous campaigns, phoning back to the same 
domain+iden tical 

affiliate ID: 

MD5=4734162bb33eff7af7el 8243821 b397e 

MD5=1 c9cel e5f4c2f3ecl 791554a349bf456 

MD5=dl 1 d76c6ecf6a9a87dcd510294104a 66 

MD5=c33750c553e6d6bdc7dac6886f65b51d 

MD5=74cdadfbl5181a997bl5083f033644d0 

MD5=3c7d8cdc73197eddl 76167cd069878bd 

Attempting to interact with the campaign's directories often 
results in a "nice try, idiot." message. Lovely! 


Related posts: 


[18] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[19] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21]on Twitter. 

1 . 
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From the Koobface Gang with Scareware Serving 
Compromised Sites (2010-05-08 20:46) 

Following last month's "[1 /Dissecting Koobface Gang's 
Latest Facebook Spreading Campaign " Koobface gang 
coverage, it's time to summarize some of their botnet 
spreading activities, from the last couple of days. 






























Immediately after the suspension of their automatically 
registered Blogspot accounts, the gang once again 

proved that it has contingency plans in place, and started 
pushing links to compromises sites, in a combination with 
an interesting "visual social engineering trick", across 
Facebook, which sadly works pretty well, in the sense that it 
completely undermines the " don't dick on links pointing to 
unknown sites" type of security tips. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

The diverse set of activities courtesy of the Koobface gang - 
consider going through the related posts in order to 
understand their underground multitasking mentality 
beyond the Koobface botnet itself - are a case study on the 
abuse of legitimate infrastructure with clean IP/AS 
reputation, for purely malicious purposes. 

This active use of the " trusted reputation chain", just like 
the majority of social engineering centered tactics of the 
gang, aim to exploit the ubiquitous weak link in the face of 
the average Internet user. Here's an example of the most 
recent campaign. 

The spreading of fully working links such as the following 
ones across Facebook: 

facebook. com/l/6e 7e5;bit. ly/9QjjSk 

facebook. com/l/cdfb;bit. ly/9QjjSk 

facebook. com/l/f3c29;bit. ly/9QjjSk 


1290 


aims to trick the infected user's friends, that this is a 
Facebook.com related link. Clicking on this link inside 
Facebook leads to the "Be careful" window showing just the 
bit.ly redirector, to finally redirect to 
198.65.28.86/swamt/ where a Koobface bogus video has 
already been seen by 2,601 users which have already 
clicked on the link. 

The sea re ware redirectors/actual serving domains are 
parked at 195.5.161.126, [3JA531252, STARNET-A5 Star- 

Net Moldova: 

lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 
2online-test.com - Email: test@now.net.cn 
2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3oniine-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 



4nasa-test.com - Email: test@now.net.cn 
4online-test.com - Email: test@now.net.cn 
4www2scanner.com - Email: test@now.net.cn 
5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 
5online-test.com - Email: test@now.net.cn 
6a-scanner.com - Email: test@now.net.cn 
defence-status6.com - Email: test@now.net.cn 
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defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 
protection-status2.com - Email: test@now.net.cn 
protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 


securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 
security-status9.com - Email: test@now.net.cn 
Detection rates: 



- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 
7/41(17.08%) 


- RunAV_312s2.exe - [5]VirTool. Win32.Obfuscator.hglb 
(v); High Risk Cloaked Malware - Result: 4/41 (9.76 %) The 
scareware sample phones back to: 

- windows32-sys.com/download/winlogo.bmp - 

91.213.157.104, A513618 CAR0NET-A5N - Email: 
con ta ct@priva cy- 

protect.cn 

- sysdllupdates.com/?b=312s2 - 87.98.134.197, 
A516276, OVH Paris - Email: contact@privacy-protect.cn 

The complete list of compromised sites distributed by 
Koobface-infected Facebook users: 

02f32e3.netsolhost.com /o492dc/ 

abskupina.si /cclq/ 

adi-agencement. fr /8r2twm/ 

agilitypo wer. dk /ko2/ 

aguasdomondego.com /d5yodi/ 

alabasta.homeip.net /e8/ 

alankaye.info 72egg/ 
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alpenhaus.com.ar /a!5zvf5/ 


animationstjo. fr /5c/ 
artwork, dray ton. co. uk /k5 wz/ 
beachfishingwa.org.au /u8g98ai/ 
biidtuben.se /I9jg/ 
chaiet.se /srb/ 
charlepoeng.be /iOtwbt/ 
christchurchgastonia.org /Ihkq/ 
chunkbait.com /gb4i6ak/ 
cityangered.se /besttube/ 
ciarkecasa.net /rhk6/ 
clr.dsfm.mb.ca /2964/ 

codeditor.awardspace. biz /uncensoredclip/ 
coloridellavita.com /sc/ 
cpvs.org /6eobh0n/ 
danieletranchita.com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 
ediltermo.com /p4zhvj0/ 
emmedici. net /2pg46mk/ 



eurobaustoff. marketing-generator.de /52649an/ 

euskorock.es /p4zm/ 

explicitfla vour. freeiz. com /qk3r/ 

f9phx.net /svr/ 

fatucci.it /I04s8m2/ 

forward march ministries, org /lbc/ 

fotopianet.it /bnog6s/ 

frenchbean.co. uk /zwr/ 

furius.comoj.com /lazl/ 

geve.be /oj4ex4/ 

gite-maison-pyrenees-luchon. com /jox/ 

google ffffffffa0ac4d9f.omicronrecords.com /me/ 

gosin.be /ist63z/ 

grimsiovsms.se /cutetube/ 

guest, worldviewproduction.com /m2f/ 

hanssen-racing.com /jl5/ 
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helpbt.com /nqo40uq/ 
helpdroid. omicronrecords. com /7h/ 


hoganjobs.com /jrepsp/ 
holustravel.cz /5j5/ 
hoperidge.com /fitwizy/ 
hottesttomato.com /6b/ 
iglesiabetanial.com /7y7/ 
ihostu. co. uk /jic9v/ 
ilterrazzoalla veneziana.it /4 vxaq5/ 
integratek.omicronrecords.com /to4u2bd/ 
irisjard.o2switch.net /lb/ 
islandmusicexport.com /hbi2ut9/ 
isteinaudi.it /h2a/ 
johnphelan.com /uynv4/ 
jsacm.com /z6/ 
kabchicago. in fo /I cgko/ 
katia-paliotti.com /Obaktz/ 
kennethom.net /I20/ 
kleppcc.com /aliendemonstration/ 
klimentglass.cz /vwalp/ 
kvarteretekorren.se /60/ 
lanavabadajoz.com /eg/ 



langstoncorp.com /o2072c/ 
libermann.phpnet.org /madu8p/ 
lineapapel.com /8l20up/ 
longting.nl /6c h/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /vlg/ 
mia-niisson.se /cmc/ 
microstart, fr /Izul/ 
migdal. org. il /y952eo/ 
mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 
nassnig.org /zl/ 
neweed.org /x4t/ 
nosneezes.com /5hjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
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omicronsystems, inc.md /ehoO/ 
on3la.be /bgfhclg/ 


onlineadmin.net /b7uccx/ 

ornskoidskatten. se /m 1 u/ 

oxhalsobygg. se /amaizingmo vies7 

• Recommended reading: [6]Dissecting Koobface Gang 
Latest Face book Spreading Campaign 

partenaires-particuliers. fr /uo/ 

pegasolavoro.it /3i6/ 

peteknightdays.com /4ok4/ 

pheromoneforum.org /ds7 

piiatescenter.se /bgx8e/ 

plymouth-tuc.org. uk /xhaq/ 

popeur. fr /m 7ya w/ 

pro-du-bio.com /af6xtp/ 

prousaudio.com /4isg/ 

puertohurraco.org /q3algz/ 

radioiuz900am.com /3i993/ 

reporsenna.netsons.org /zvz/ 

rhigar.nu /6v/ 

richmondpowerboat.com /tifax5/ 
rmg360.co.cc /22i/ 



roninwines.com /wonderfuivids/ 
rrmaps.com /j6o/ 
rvi.it/bv6k/ 

scariett-oharas.com /my0333/ 
secure.tourinrome.org /gyp/ 
servicehandiaren.se /yq9ahw0/ 
servicehandiaren.spei-service. com /q9ql 15/ 
sgottnerivers.com /y0jl6rw/ 
shofarcall.com /zi/ 
sirius-expedition.com /x4yab/ 
slcsc. co. uk /Okem/ 
soderback.eu /xvg9/ 
spei-service.com /xm/ 
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sporthal.msolutions.be /vyx3yu/ 
steelstoneind.com /yzp/ 
stgeorgesteel.com /ji/ 
stgeorgesteel.com /yinwir/ 
stubbieholderking.com /dyarxl/ 
sweet-peasdog.se /Orejo/ 



taekwondovelden.nl /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedaliestransmission.com /rjsg2/ 
thereaimagnets.comuv.com /3wnl9n/ 
thestrategicfrog. 11 Omb. com /66vv/ 
tizianozanella.it/ k2cei/ 
trustonecorp.com /mabmpp/ 
unna.nu /6 lie/ 

uroloki. omicronrecords. com /9t/ 
vaxjoff.com /4fpu/ 
veerle-frank.be /I01/ 
verdiverdi.net /3tt/ 
vision ministerial, com /pi 91/ 
waffotis.se /yufi3u/ 
watsonspipingandheating.com /krda/ 
welplandeast.com /6q/ 

WESTCOASTPERFORMANCECOATINGS. COM /I tw4/ 
williamarias.us /na9mq/ 



woodworksbyjamie.com /90mrjb/ 

wowparis2000.com /rtsz/ 

yin-art. be /a75ble/ 

youniverse.site50.net /4a 9 r 7 

Due to the diversity of its cybercrime operations, the 
Koobface gang is always worth keeping an eye on. Best 

of ail - it's done semi-automatically these days. 

The best is yet to come, stay tuned! 

Related Koobface gang/botnet research: 

[7] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[8] Koobface Redirectors and Sea re ware Campaigns Now 
Hosted in Moldova 

[9] 10 things you didn't know about the Koobface gang 

[10] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[11] How the Koobface Gang Monetizes Mac OS X Traffic 

[12] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[13] Koobface-Friendiy Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[14] Koobface Botnet Starts Serving Client-Side Exploits 



[15] Massive Sea re ware Serving Blackhat SEO, the Koobface 
Gang Style 

[16] Koobface Botnet's Sea reware Business Model - Part Two 

[17] Koobface Botnet's Sea reware Business Model - Part One 

[18] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[19] New Koobface campaign spoofs Adobe's Flash updater 
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[20] Socia\ engineering tactics of the Koobface botnet 

[21] Koobface Botnet Dissected in a Trend Micro Report 

[22] Movement on the Koobface Front - Part Two 

[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [26]Dancho 
Danchev's blog. Follow him [27]on Twitter. 

1. htto.Y/ddanchev.blo as oot. com/2010/04/dissectin a- 
koobface-aanas-iatest.html 

2. htto://www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-oana/5452 

3. htto://ddanchev.blo as oot. com/2010/03/koobface- 
redirectors-and-scareware.html 















4. 


http://www.virustotal.com/analisis/6e07a43clb31464287d2 

e967226d7056366bdlfb7b6950565c212c6d47e96all~ 

12733 

38587 

5. 

htto: 7/www. virustotal. com/anaiisis/8a607a9335f08ac4fcf6ec 

ccc0fb4b2581 eQ2d03 71 ab09d22eh8 7cd8a3b68f85-12733 

38600 

6. htto.V/ddanchev.bio as oot. com/2010/04/dissectin a- 
koobface-aanas-latest. html 

7. htto.V/ddanchev.bio as oot. com/2010/04/dissectin a- 
koobface-aanas-latest.html 

8. htto://ddanchev.bio as oot. com/2010/03/koobface- 
red irecto rs-and-sca re ware, html 

9. htto://www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452 

10. htto.V/ddanchev. bio as oot. com/2010/02/diverse-oortfolio 
of-scare warebiackhat.html 

11. htto://ddanchev.bio as oot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.html 

12. htto.V/ddanchev. bio as oot. com/2009/12/koobface-aan a- 
wishes-industrv-ha DD v.html 

13. htto.V/ddanchev. bio as oot. com/2009/12/koobface- 
friendiv-nccom-itd-as29550.htmI 










































14. htto.V/ddanchev. blo as oot. com/2009/11/koobface-botnet- 
starts-servina-client. html 

15. htto.V/ddanchev. blo as oot. com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

16. htto.V/ddanchev. blo as oot. com/2009/11/koobface- 
botneis-scare ware-business, html 

17. htto.V/ddanchev. blo as oot. com/2009/09/koobface- 
botnets-scare ware-business, html 

18. htto.V/ddanchev. blo as oot. com/2009/1O/koobface-botnet- 
redirects-facebooks-io. html 

19. htto://bloas.zdnet.com/securit v/? D=4594 

20. http://content.zdnet.com/2346-12691_22-352597.html 

21. htto.V/ddanchev. blo as oot. com/2009/10/koobface-botnet- 
dissected-in-trendmicro. him! 

22. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front-oart-two. him! 

23. htto.V/ddanchev.blo as oot.com/2009/08/movement-on- 
koobface-front. html 

24. httoV/ddanchev. blo as oot. com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 

25. htto.V/ddanchev. blo as oot. com/2009/07/dissectin a- 
koobface-worms-twitter. html 

26. htto.V/ddanchev. blo as oot. com/ 

27. htto://twitter, com/danchodanche i/ 
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From the Koobface Gang with Scareware Serving 
Compromised Sites (2010-05-08 20:46) 

Following last month's "[lJDissecting Koobface Gang's 
Latest Facebook Spreading Campaign" Koobface gang 
coverage, it's time to summarize some of their botnet 
spreading activities, from the last couple of days. 

Immediately after the suspension of their automatically 
registered Blogspot accounts, the gang once again 

proved that it has contingency plans in place, and started 
pushing links to compromises sites, in a combination with 
an interesting "visual social engineering trick", across 
Facebook, which sadly works pretty well, in the sense that it 
completely undermines the " don't dick on links pointing to 
unknown sites" type of security tips. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

The diverse set of activities courtesy of the Koobface gang - 
consider going through the related posts in order to 
understand their underground multitasking mentality 
beyond the Koobface botnet itself - are a case study on the 
abuse of legitimate infrastructure with clean IP/AS 
reputation, for purely malicious purposes. 

This active use of the " trusted reputation chain", just like 
the majority of social engineering centered tactics of the 
gang, aim to exploit the ubiquitous weak link in the face of 


the average Internet user. Here's an example of the most 
recent campaign. 

The spreading of fully working links such as the following 
ones across Facebook: 

face book. com/l/6e 7e5;bit. ly/9QjjSk 

facebook. com/l/cdfb;bit. ly/9QjjSk 

facebook. com/l/f3c29;bit. ly/9QjjSk 
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aims to trick the infected user's friends, that this is a 
Facebook.com related link. Clicking on this link inside 
Facebook leads to the "Be careful" window showing just the 
bit.ly redirector, to finally redirect to 
198.65.28.86/swamt/ where a Koobface bogus video has 
already been seen by 2,601 users which have already 
clicked on the link. 

The sea re ware redirectors/actual serving domains are 
parked at 195.5.161.126, [3JAS31252, 5TARNET-A5 Star- 

Net Moldova: 

lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 


2online-test.com - Email: test@now.net.cn 
2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3online-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 
4nasa-test.com - Email: test@now.net.cn 
4oniine-test.com - Email: test@now.net.cn 
4www2scanner.com - Email: test@now.net.cn 
5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 
5oniine-test.com - Email: test@now.net.cn 
6a-scanner.com - Email: test@now.net.cn 
defence-status6.com - Email: test@now.net.cn 
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defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 


protection-status2.com - Email: test@now.net.cn 
protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 
securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 
security-status9.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 
7/41(17.08%) 

- RunAV_312s2.exe - [5]VirTool. Win32.Obfuscator.hgib 
(v); High Risk Cloaked Malware - Result: 4/41 (9.76 %) The 
scareware sample phones back to: 

- windows32-sys.com/downioad/winiogo.bmp - 

91.213.157.104 > AS 13618 CARONET-ASN - Email: 
con ta ct@priva cy- 


protect.cn 



- sysdllupdates.com/?b=312s2 - 87.98.134.197, 
A516276, OVH Paris - Email: contact@privacy-protect. 

The complete list of compromised sites distributed by 
Koobface-infected Facebook users: 

02f32e3.netsolhost.com 7o492dc/ 

abskupina.si /cclq/ 

adi-agencement. fr /8r2twm/ 

agilitypo wer. dk /ko27 

aguasdomondego.com /d5yodi7 

alabasta.homeip.net 7e87 

alankaye.info 72egg/ 
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a I pen haus.com. ar 7al5zvf5/ 
animationstjo. fr /5c/ 
artwork, dray ton. co. uk /k5 wz/ 
beachfishingwa.org.au /u8g98ai/ 
biidtuben.se /I9jg/ 
chalet.se /srb/ 
charlepoeng.be /iOtwbt/ 
christchurchgastonia. org /lhkq/ 


chunkbait.com /gb4i6ak/ 
cityangered.se /besttube/ 
clarkecasa.net /rhk6/ 
clr.dsfm.mb.ca /2964/ 

codeditor. a ward space, biz /uncensoredclip/ 
coloridellavita.com /sc/ 
cpvs.org /6eobh0n/ 
danieletranchita. com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 
ediltermo.com /p4zhvj0/ 
emmedici. net /2pg46mk/ 

eurobaustoff.marketing-generator.de /52649an/ 

euskorock.es /p4zm/ 

expiicitfia vour. freeiz. com /qk3r/ 

f9phx.net /svr/ 

fatucci.it /I04s8m2/ 

forward march ministries, org /lbc/ 

fotoplanet.it /bnog6s/ 



frenchbean.co. uk /zwr/ 
furius.comoj.com /lazl/ 
geve.be /oj4ex4/ 

gite-maison-pyrenees-luchon. com /jox/ 

google ffffffffa0ac4d9f.omicronrecords. com /me/ 

gosin.be /ist63z/ 

grimsiovsms.se /cutetube/ 

guest, worldviewproduction.com /m2f/ 

hanssen-racing.com /jl5/ 
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helpbt.com /nqo40uq/ 
helpdroid. omicronrecords. com /7h/ 
hoganjobs.com /jrepsp/ 
holustravel.cz /5j5/ 
hoperidge.com /fitwizy/ 
hottesttomato.com /6b/ 
iglesiabetanial.com /7y7/ 
ihostu. co. uk /jic9v/ 
ilterrazzoalla veneziana. it /4 vxaq5/ 


integrated omicronrecords.com /to4u2bd/ 
irisjard.o2switch.net /lb/ 
isiandmusicexport.com /hbi2ut9/ 
isteinaudi.it /h2a/ 
johnphelan.com /uynv4/ 
jsacm.com /z6/ 
kabchicago.info /lcgko/ 
katia-paliotti.com /Obaktz/ 
kennethom.net /I20/ 
kleppcc.com /aliendemonstration/ 
klimentglass.cz /vwaip/ 
kvarteretekorren.se /60/ 
lanavabadajoz.com /eg/ 
langstoncorp.com /o2072c/ 
libermann.phpnet.org /madu8p/ 
lineapapel.com /8l20up/ 
longting.nl /6c h/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /vlg/ 
mia-niisson.se /cmc/ 



microstart, fr /Izul/ 
migdal. org. H /y952eo/ 
mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 
nassnig.org /zl/ 
neweed.org /x4t/ 
nosneezes.com /Shjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
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omicronsystems.inc.md /ehoO/ 

on3la.be /bgfhclg/ 

onlineadmin.net /b7uccx/ 

ornskoidska tten. se /m 1 u/ 

oxhalsobygg. se /amaizingmo vies/ 

• Recommended reading: [6]Dissecting Koobface Gang 
Latest Face book Spreading Campaign 

partenaires-particuliers. fr /uo/ 

pegasolavoro.it /3I6/ 


peteknightdays.com /4ok4/ 
pheromoneforum.org /ds/ 
pitatescenter.se /bgx8e/ 
plymouth-tuc.org. uk /xhaq/ 
popeur. fr /m 7ya w/ 
pro-du-bio.com /af6xtp/ 
prousaudio.com /4isg7 
puertohurraco.org /q3algz/ 
radioiuz900am.com / 3i993/ 
reporsenna.netsons.org /zvz/ 
rhigar. nu /6v/ 

richmondpowerboat.com /tifax5/ 
rmg360.co.cc /22i/ 
roninwines.com /wonderfulvids/ 
rrmaps.com /j6o/ 
rvi.it/bv6k/ 

scarlett-oharas.com /my0333/ 
secure.tourinrome.org /qyp/ 
servicehandiaren.se /yq9ahw0/ 
servicehandiaren.spei-service.com /q9ql 15/ 



sgottnerivers.com /y0jl6rw/ 
shofarcall.com /zi/ 
sirius-expedition.com /x4yab/ 
slcsc. co. uk /Okem/ 
soderback.eu /xvg9V 
spei-service.com /xm/ 
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sporthai.msoiutions.be /vyx3yu/ 
steelstoneind.com /yzp/ 
stgeorgesteel.com /ji/ 
stgeorgesteei.com /yinwir/ 
stubbieholderking.com /dyarxl/ 
sweet-peasdog.se AOre jo/ 
taekwondovelden.nl /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedaiiestransmission.com /rjsg2/ 
therealmagnets.comuv.com /3wnl9n/ 
thestrategicfrog. 11 Omb. com /66vv/ 



tizianozanella.it/ k2cei/ 
trustonecorp.com /mabmpp/ 
unna.nu /6lie/ 

uroloki. omicronrecords. com /9t/ 
vaxjoff.com /4fpu/ 
veerle-frank.be /iOl/ 
verdiverdi.net /3tt/ 
vision ministerial, com /pi 91/ 
waffotis.se /yufi3u/ 
watsonspipingandheating.com /krda/ 
welplandeast.com /6q/ 

WESTCOASTPERFORMANCECOATINGS. COM /I tw4/ 

williamarias.us /na9mq/ 

woodworksbyjamie.com /90mrjb/ 

wowparis2000.com /rtsz/ 

yin-art. be /a75ble/ 

youniverse.site50.net /4a9r/ 

Due to the diversity of its cybercrime operations, the 
Koobface gang is always worth keeping an eye on. Best 

of all - it's done semi-automatically these days. 



The best is yet to come, stay tuned! 

Related Koobface gang/botnet research: 


[7] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[8] Koobface Redirectors and Sea re ware Campaigns Now 
Hosted in Moldova 

[9] 10 things you didn't know about the Koobface gang 

[10] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[llJHow the Koobface Gang Monetizes Mac OS X Traffic 

[12] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[13] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[14] Koobface Botnet Starts Serving Client-Side Exploits 

[15] Massive Sea re ware Serving Blackhat SEO, the Koobface 
Gang Style 

[16] Koobface Botnet's Scareware Business Model - Part Two 

[17] Koobface Botnet's Scareware Business Model - Part One 

[18] Koobface Botnet Redirects Facebook’s IP Space to my 
Blog 

[19] New Koobface campaign spoofs Adobe's Flash updater 
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[20] 5ocial engineering tactics of the Koobface botnet 

[21] Koobface Botnet Dissected in a Trend Micro Report 

[22] Movement on the Koobface Front - Part Two 

[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [26]Dancho 
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TorrentReactor.net Serving Crimeware, Client-Side 
Exploits Through a Malicious Ad (2010-05-11 08:34) 

Deja vu! 

[ljjerome Segura at the Malware Diaries is reporting that 
TorrentReactor.net, a high-trafficked torrents tracker, is 
currently serving live-exploits through a malicious ad served 
by " Fulldls.com - Your source for daily torrent downloads". 


























Why deja vu? It's because the [2]TorrentReactor.net 
malware campaign takes me back to 2008 , among the 

very first extensive profiting of Russian Business Network 
activity, with their mass "input validation abuse" campaign 
back then, successfully appearing on numerous high- 
trafficked web sites, serving guess what? Sea reware. 

Moreover, despite the surprisingly large number of people 
still getting impressed by the use of http referrers 

as an evasive practice applied by the cybercriminals, these 
particular campaigns ([3]ZDNet Asia and Torrent Re actor 
IFRAME-ed; [4JWired.com and History.com Getting RBN-ed; 
[5JMassive IFRAME 5E0 Poisoning Attack Continuing) 

are a great example of this practice in use back then: 

• So the malicious parties are implementing simple referrer 
techniques to verify that the end users coming to 

their IP, are the ones they expect to come from the 
campaign, and not client-side honey pots or even security 

researchers. And if you're not coming from you're supposed 
to come, you get a 404 error message, deceptive 

to the very end of it. 

The most recent compromise of TorrentReactor.net 
appears to be taking place through a malicioud ad serving 
exploits using the NeoSploit kit, which ultimately drops a 
ZeuS crime ware sample hosted within a fast-flux botnet. 
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The campaign structure, including detection rates, phone 
back locations and ZeuS crimeware fast-flux related data is 
as follows: 

- ads. fulldls.com /phpadsnew/www/delivery/afr.php? 
zoneid=l &cb=291476 

- ad.leet.la /stats?ref= .*ads\.fulldls\.com $ - 

208.111.34.38 - Email: bertrand.crevin@bruteie.com 

(leet.la - 

212.68.193.197 - AS12392, ASBRUTELE AS Object for 
Bruteie SC) 

- lo.dep.lt/info/usl.html - 91.212.12/.110 - lo.dep.lt - 

91.212.12/.110 - AS49087, Telos-Solutions-AS Telos 
Solutions LTD 

- 91.216.3.108 /del/index.php; 91.216.3.108 
/cal/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey 
Valerievich 

- 91.216.3.108 responding to gaihooxaefap.com - 

Nikolay Vukolov, Email: woven@qx8.ru 

Upon successful exploitation, the following malicious pdf is 
served: 

- eac27d.pdf - [6]Exploit.PDF-JS. Gen (v); JS:Pdfka-AET; - 
Result: 6/40 (15 %) which when executed phones back to 

91.216.3.108 

/cal/banner. php/1 fdal 61 dabl edd2f385d43c705a541 
d3?spl=pdf _30apr and drops: 

- myexebr.exe - [ 7 ]TSPY_QAKBOT.SMG - Result: 17/41 

(41.4 7 %) which then phones back to the ZeuS crimeware C 


&C: [8 Jsaiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 
- Email: spasm@maillife.ru 
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Fast-fluxed domains sharing the same infrastructure: 

demiliawes.com - Email: bust@qx8.ru 

jademason.com - 213.156.118.221; 217.201.4.95; 
24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: 
blare@bigmailbox. ru 

laxahngeezoh.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
zig@fastermail. ru 

line-ace.com - Email: greysy@gmx.com 

xareemudeixa.com -112.201.223.129; 119.228.44.124; 
170.51.231.93; 190.135.224.89; 213.156.118.221; 

217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: 
writhe@fastermail. ru 

zeferesds.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
mated@freemailbox. ru 

Name servers of notice: 

nsl.rexonna.net - 202.60.74.39 - Email: 
aquvafrog@animail.net 


ns2.rexonna.net - 25.120.19.23 



nsl.line-ace.com - 202.60.74.39 - Email: 
greysy@gmx. com 

ns2.line-ace.com - 67.15.223.219 

nsl.growthproperties.net - 62.19.3.2 - Email: 
growth@support.net 

ns2.growthproperties.net -15.94.34.196 

nsl.tropic-noik.com - 62.19.3.2 - Email: 
greysy@gmx. com 

ns2.tropic-noik.com -171.103.51.158 

These particular iFrame injection Russian Business 
Network's campaigns from 2008, used to rely on the 
following URL 

for their malicious purposes - a-n-d- 
the.com/wtr/router.php (216.255.185.82 - INTERCAGE- 
NETW0RK-GR0UP2). 

Why am / highlighting it? Excerpts from previous profiled 
campaigns, including one that is directly linked to the 
Koobface gang's blackhat SEO operations. 

[9JU.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding : 

• The compromised/mis-configured web sites participating 
in this latest blackhat SEO campaign are surprisingly 

redirecting to a-n-d-the.com /wtr/router.php - 

95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT 
AS 



NETDIRECT Frankfurt, DE if the http referrer condition isn't 
met. This very same domain - back then parked 

at INTERCAGE-NETW0RK-GR0UP2 - was also used in the 
same fashion in March, 2008's massive blackhat 5E0 

campaigns serving sea re ware. 

Not only is a-n-d-the.com /wtr/router.php 

(95.168.177.35) (Web [lOJsessions of the URL acting as 
[ll]a redirector), the exact same URL that was in 
circulating in 2008, residing on the Russian Business 
Network's netblock back then, still active, but also, it's 
currently redirecting to - if the campaign's evasive 
conditions are met - to www4.zaikob8.xorg.pl/?uid=213 
&pid=3 &ttl=31345701120 - 217.149.251.12. 

What this proves is fairly simple - with or without the 
Russian Business Network the way we used to know it, 

it's customers simply moved on to the competition, whereas 
the original Russian Business Network simply diversified its 
netblocks ownership. 

Related posts: 

[12JZDNet Asia and TorrentReactor IFRAME-ed 

[13] Wired.com and FHstory.com Getting RBN-ed 

[14] Massive /FRAME SEO Poisoning Attack Continuing 
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This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 
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3. htto.V/ddanchev.blo as oot.com/2008/03/zdnet-asia-and- 
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4. htto.V/ddanchev.blo as oot. com/2008/03/wiredcom-and- 
historvcom-aettina-rbn-ed.html 

5. htto://ddanchev.blo as oot.com/2008/03/massive-iframe- 
seo-Doisonina-attack.html 

6 . 

htto://www. virustotal. com/analisis/e4db 79b30d24c9dl 86cac 

a 7d6e5501 c9 715acc0e3cf85bdee4927094f7b5cfl c-12 735 
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historvcom-aettina-rbn-ed.html 
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seo-ooisonina-attack.html 

15. htto://ddanchev. blo as oot. com/ 

16. htto://twitter, com/danchodanchev 
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TorrentReactor.net Serving Crimeware, Client-Side 
Exploits Through a Malicious Ad (2010-05-11 08:34) 

Deja vu! 

[ljjerome Segura at the Malware Diaries is reporting that 
TorrentReactor.net, a high-trafficked torrents tracker, is 
currently serving live-exploits through a malicious ad served 
by " Fulldls.com - Your source for daily torrent downloads". 



























Why deja vu? It's because the [2]TorrentReactor.net 
malware campaign takes me back to 2008 , among the 

very first extensive profiting of Russian Business Network 
activity, with their mass "input validation abuse" campaign 
back then, successfully appearing on numerous high- 
trafficked web sites, serving guess what? Sea reware. 

Moreover, despite the surprisingly large number of people 
still getting impressed by the use of http referrers 

as an evasive practice applied by the cybercriminals, these 
particular campaigns ([3]ZDNet Asia and Torrent Re actor 
IFRAME-ed; [4JWired.com and History.com Getting RBN-ed; 
[5JMassive IFRAME 5E0 Poisoning Attack Continuing) 

are a great example of this practice in use back then: 

• So the malicious parties are implementing simple referrer 
techniques to verify that the end users coming to 

their IP, are the ones they expect to come from the 
campaign, and not client-side honey pots or even security 

researchers. And if you're not coming from you're supposed 
to come, you get a 404 error message, deceptive 

to the very end of it. 

The most recent compromise of TorrentReactor.net 
appears to be taking place through a malicioud ad serving 
exploits using the NeoSploit kit, which ultimately drops a 
ZeuS crime ware sample hosted within a fast-flux botnet. 
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The campaign structure, including detection rates, phone 
back locations and ZeuS crimeware fast-flux related data is 
as follows: 

- ads. fulldls.com /phpadsnew/www/delivery/afr.php? 
zoneid=l &cb=291476 

- ad.leet.la /stats?ref= .*ads\.fulldls\.com $ - 

208.111.34.38 - Email: bertrand.crevin@bruteie.com 

(leet.la - 

212.68.193.197 - AS12392, ASBRUTELE AS Object for 
Bruteie SC) 

- lo.dep.lt/info/usl.html - 91.212.12/.110 - lo.dep.lt - 

91.212.12/.110 - AS49087, Telos-Solutions-AS Telos 
Solutions LTD 

- 91.216.3.108 /del/index.php; 91.216.3.108 
/cal/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey 
Valerievich 

- 91.216.3.108 responding to gaihooxaefap.com - 

Nikolay Vukolov, Email: woven@qx8.ru 

Upon successful exploitation, the following malicious pdf is 
served: 

- eac27d.pdf - [6]Exploit.PDF-JS. Gen (v); JS:Pdfka-AET; - 
Result: 6/40 (15 %) which when executed phones back to 

91.216.3.108 

/cal/banner. php/1 fdal 61 dabl edd2f385d43c705a541 
d3?spl=pdf _30apr and drops: 

- myexebr.exe - [ 7 ]TSPY_QAKBOT.SMG - Result: 17/41 

(41.4 7 %) which then phones back to the ZeuS crimeware C 


&C: [8 Jsaiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 
- Email: spasm@maillife.ru 
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Fast-fluxed domains sharing the same infrastructure: 

demiliawes.com - Email: bust@qx8.ru 

jademason.com - 213.156.118.221; 217.201.4.95; 
24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: 
blare@bigmailbox. ru 

laxahngeezoh.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
zig@fastermail. ru 

line-ace.com - Email: greysy@gmx.com 

xareemudeixa.com -112.201.223.129; 119.228.44.124; 
170.51.231.93; 190.135.224.89; 213.156.118.221; 

217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: 
writhe@fastermail. ru 

zeferesds.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
mated@freemailbox. ru 

Name servers of notice: 

nsl.rexonna.net - 202.60.74.39 - Email: 
aquvafrog@animail.net 


ns2.rexonna.net - 25.120.19.23 



nsl.line-ace.com - 202.60.74.39 - Email: 
greysy@gmx. com 

ns2.line-ace.com - 67.15.223.219 

nsl.growthproperties.net - 62.19.3.2 - Email: 
growth@support.net 

ns2.growthproperties.net -15.94.34.196 

nsl.tropic-noik.com - 62.19.3.2 - Email: 
greysy@gmx. com 

ns2.tropic-noik.com -171.103.51.158 

These particular iFrame injection Russian Business 
Network's campaigns from 2008, used to rely on the 
following URL 

for their malicious purposes - a-n-d- 
the.com/wtr/router.php (216.255.185.82 - INTERCAGE- 
NETW0RK-GR0UP2). 

Why am / highlighting it? Excerpts from previous profiled 
campaigns, including one that is directly linked to the 
Koobface gang's blackhat SEO operations. 

[9JU.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding : 

• The compromised/mis-configured web sites participating 
in this latest blackhat SEO campaign are surprisingly 

redirecting to a-n-d-the.com /wtr/router.php - 

95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT 
AS 



NETDIRECT Frankfurt, DE if the http referrer condition isn't 
met. This very same domain - back then parked 

at INTERCAGE-NETW0RK-GR0UP2 - was also used in the 
same fashion in March, 2008's massive blackhat 5E0 

campaigns serving sea re ware. 

Not only is a-n-d-the.com /wtr/router.php 

(95.168.177.35) (Web [lOJsessions of the URL acting as 
[ll]a redirector), the exact same URL that was in 
circulating in 2008, residing on the Russian Business 
Network's netblock back then, still active, but also, it's 
currently redirecting to - if the campaign's evasive 
conditions are met - to www4.zaikob8.xorg.pl/?uid=213 
&pid=3 &ttl=31345701120 - 217.149.251.12. 

What this proves is fairly simple - with or without the 
Russian Business Network the way we used to know it, 

it's customers simply moved on to the competition, whereas 
the original Russian Business Network simply diversified its 
netblocks ownership. 

Related posts: 

[12JZDNet Asia and TorrentReactor IFRAME-ed 

[13] Wired.com and FHstory.com Getting RBN-ed 

[14] Massive /FRAME SEO Poisoning Attack Continuing 
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This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 
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9. htto://ddanchev.blo as pot. com/2009/08/us-federal-forms- 
blackhat-seo-themed. him I 


10 . 

http.V/1.bo.blo as pot.com/_ wlCHhTiOmrA/Soa9l Vhk9l/AAAA 









































AAAAEEc/9Cx7e W aPaX O/sl 600-h/blackhat_seo_ tax latest 

10. JPG 

11 . 

htto://2. bo. blo as oot. com/_ wlCHhTiOmrA/Soa u OLktZ wl/AAAA 
AAAAEDs/mFbh2 WiDBf4/sl 600-h/blackhat seo taxlatest 

9.JPG 

12. htto.Y/ddanchev. blo as oot. com/2008/03/zdnet-asia-and- 
torrentreactor-iframe-ed.html 

13. htto.Y/ddanchev. blo as oot. com/2008/03/wiredcom-and- 
historvcom-aettina-rbn-ed.html 

14. htto.V/ddanche i/. blo as oot. com/2008/03/massive-iframe- 
seo-Doisonina-attack.html 
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Dissecting the Mass DreamHost Sites Compromise 
(2010-05-11 22:19) 

Yet another [ljmass sites compromise is currently 
taking place , this time targeting DreamHost 
customers, courtesy of the same gang behind the U.S 
Treasury/GoDaddy/NetworkSolutions mass compromise 
campaigns. 

What's particularly interesting about the campaign, is not 
just [2]the Hilary Kneber connection, but also, the fact 



























that a key command and control domain part of the 
Koobface botnet, is residing within the same AS where the 
nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SiA" iZZi) used in previous campaigns are. 

These gangs are either aware of one another's existence, 
are the exact same gang doing basic evasive prac¬ 
tices on multiple fronts, or are basically customers of the 
same cybercrime-friendly hosting service provider. 
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The DreamHost campaign structure, including the detection 
rates, phone back locations, is as follows: 

- zettapetta.com/js.php -109.196.143.56 - Email: 
hiiarykneber@yahoo. com 

- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: 
gkook@checkjemaii. nl 

- wwwl.realsafe-23.net - 209.212.149.17 - Email: 
gkook@checkjemaii. nl 
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Active client-side exploits serving, redirector domains 
parked on the same IP 109.196.143.56: zettapetta.com - 

109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom 
LLC Moscow, Russia - Email: 


hi- 


\arykneber@yahoo. com 

yahoo-statistic.com - Email: hilarykneber@yahoo.com 

primusdns.ru - Email: samm _87@emaii.com 

freehost21.tw - Email: hilarykneber@yahoo.com 

aiert35.com.tw - Email: admin@zaiert35.com.tw 

indesignstudioinfo.com - Email: 
hilarykneber@yahoo. com 

Historically, the following domains were also parked on the 
same IP 109.196.143.56: 

bananajuice21.net - Email: hilarykneber@yahoo.com 

winrar392.net - Email: Iacyjerryl958@gmail.com 

best-soft-free.com - Email: Iacyjerryl958@gmail.com 

setyupdate.com - Email: admin@setyupdate.com 

Detection rate for the scareware pushed in the campaign: 

- packupdate buildl07 2060.exe - [3]TR0j 
FRAUD.SMDV; Packed. Win32.Krap.an - Result: 8/41 (19.52 
%) with the sample phoning back to: 

update2.keep-insafety.net - 94.228.209.221 - Email: 
gkook@checkjemail. nl 

updatel.myownguardian.com - 74.118.194.78 - Email: 
gkook@checkjemail. nl 

securel.saefty-guardian.com - 94.228.220.112 - Email: 
gkook@checkjemail. nl 



report.zoneguardland.net - 91.207.192.25 - Email: 
gkook@checl<jemail. nl 

report.land-protection.com - 91.207.192.24 - Email: 
gkook@checkjemail. nl 

www5.our-security-engine.net - 94.228.220.111 - Email: 
gkook@checkjemail. nl 

reportl.stat-mx.xorg.pl 

updatel.securepro.xorg.pl 

Name servers of notice parked at 91.188.59.98, A56851, 
BKCNET "SIA " IZZI: 

nsl. oklahomacitycom. com 

ns2.oklahomacitycom.com 

What's so special about [4JAS6851, BKCNET "SiA " IZZI 
anyway? It's the Koobface gang connection in the face of 
urodinam.net, which is also hosted within AS6851, 
currently responding to 91.188.59.10. More details on 

urodinam.net: 

• [5] Koobface Botnet's Sea re ware Business Model 

• [6]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently 

active Izabslwvn538n4i5tcjl.com - Email: 
michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 



/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 
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Detection rates for the malware pushed from the same IP 
where a key Koobface botnet's C &C is hosted: 

- 55.pdf - [7]J5:Pdfka-gen; Exploit.J5.Pdfka.blf- Result: 
23/41 (56.1 %) 

- dm.exe - [8]Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - 
Result: 36/41 (87.81 %) 

- wsc.exe - [9]Net-Worm. Win32.Koobface; Trojan.FakeAV - 
Result: 36/41 (87.81 %) 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com , was also profiled in the 

"[lOJDiverse Portfolio of Scareware/Biackhat SEO 
Redirectors Courtesy of the Koobface Gang 11 

assessment. 

Given that enough historical 051 NT is available, the 
cybercrime ecosystem can be a pretty small place. 

Related posts: 

[11JU.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass Word Press Blogs Compromise 

[12]GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 


[13] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

Hilary Kneber related activity: 

[14] The Kneber botnet - FAQ 

[15] Celebrity-Themed Scareware Campaign Abusing 
DocStoc 

[16] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[17] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 
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htto: 7/www. virustotal. com/analisis/5b0ddl aa5el f84d044ac2 
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08314 

10. htto.V/ddanchev. blo as oot. com/2010/02/diverse-oortfolio- 
of-scare wareblackhat.htmI 

11. htto.V/ddanchev. blo as oot. com/2010/05/us-treasurv-site- 
comoromise-linked-to.html 

12. htto.V/ddanchev. blo as oot. com/2010/04/aodaddvs-mass- 
wordoress-bloas. html 

13. htto.V/ddanchev. blo as oot. com/2010/04/dissectin a- 
wordDress-bloas-comoromise.html 







































14. http://www.zdnet.com/bloa/securitv/the-kneber-botnet- 
fa a/5508 


15. http.V/ddanche v. b lo gs pot, com/2009/12/celebrit v- 
themed-scare ware-camoaian 07.html 

16. http.V/ddanchev. blo as oot. com/2010/02/dissectin o- 
on aoina-monev-mule.html 

17. htto://ddanchev. blo as oot. com/2010/04/keeoina-mone v- 
m uie-recruiters - on-sh ort. h tml 

18. http.V/ddanchev. blo as oot. com/ 

19. http://twitter, com/danchodanche i/ 
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Dissecting the Mass DreamHost Sites Compromise 
(2010-05-11 22:19) 

Yet another [ljmass sites compromise is currently 
taking place, this time targeting DreamHost 
customers, courtesy of the same gang behind the U.S 
Treasury/GoDaddy/NetworkSolutions mass compromise 
campaigns. 

What's particularly interesting about the campaign, is not 
just [2]the Hilary Kneber connection, but also, the fact 
that a key command and control domain part of the 
Koobface botnet, is residing within the same AS where the 
nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SiA" IZZI) used in previous campaigns are. 






















These gangs are either aware of one another's existence, 
are the exact same gang doing basic evasive prac¬ 
tices on multiple fronts, or are basically customers of the 
same cybercrime-friendly hosting service provider. 
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The DreamHost campaign structure, including the detection 
rates, phone back locations, is as follows: 

- zettapetta.com/js.php -109.196.143.56 - Email: 
hiiarykneber@yahoo. com 

- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: 
gkook@checkjemail. nl 

- wwwl.realsafe-23.net - 209.212.149.17 - Email: 
gkook@checkjemail. nl 
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Active client-side exploits serving, redirector domains 
parked on the same IP 109.196.143.56: zettapetta.com - 

109.196.143.56, A539150, VLTELECOM-AS VLineTelecom 
LLC Moscow, Russia - Email: 


hi- 


\arykneber@yahoo. com 

yahoo-statistic.com - Email: hiiarykneber@yahoo.com 
primusdns.ru - Email: samm _87@email.com 


freehost21.tw - Email: hilarykneber@yahoo.com 

alert35.com.tw - Email: admin@zaiert35.com.tw 

indesignstudioinfo.com - Email: 
hilarykneber@yahoo. com 

Historically, the following domains were also parked on the 
same IP 109.196.143.56: 

bananajuice21.net - Email: hilarykneber@yahoo.com 

winrar392.net - Email: Iacyjerryl958@gmail.com 

best-soft-free.com - Email: Iacyjerryl958@gmail.com 

setyupdate.com - Email: admin@setyupdate.com 

Detection rate for the scareware pushed in the campaign: 

- packupdatebuildl07 2060.exe - [3]TR0j 
FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52 
%) with the sample phoning back to: 

update2.keep-insafety.net - 94.228.209.221 - Email: 
gkook@checkjemail. nl 

updatel.myownguardian.com - 74.118.194.78 - Email: 
gkook@checkjemail. nl 

securel.saefty-guardian.com - 94.228.220.112 - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

report.land-protection.com - 91.207.192.24 - Email: 
gkook@checkjemail. nl 



www5.our-security-engine.net - 94.228.220.111 - Email: 
gkook@checkjemail. nl 

reportl.stat-mx.xorg.pl 

updatel.securepro.xorg.pl 

Name servers of notice parked at 91.188.59.98, AS6851, 
BKCNET "SIA " IZZI: 

nsl. oklahomacitycom. com 

ns2. oklahomacitycom. com 

What's so special about [4JAS6851, BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 
urodinam.net, which is also hosted within AS6851, 
currently responding to 91.188.59.10. More details on 

urodinam.net: 

• [5]Koobface Botnet's Scareware Business Model 

• [6]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently 

active Izabslwvn538n4i5tcjl.com - Email: 
michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 
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Detection rates for the malware pushed from the same IP 
where a key Koobface botnet's C &C is hosted: 

- 55.pdf - [7]J5:Pdfka-gen; Exploit.J5.Pdfka.blf- Result: 

23/41 (56.1 %) 

- dm.exe - [8]Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - 
Result: 36/41 (87.81 %) 

- wsc.exe - [9]Net-Worm. Win32.Koobface; Trojan.FakeAV - 
Result: 36/41 (87.81 %) 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com , was also profiled in the 

"[lOJDiverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang" 

assessment. 

Given that enough historical 051 NT is available, the 
cybercrime ecosystem can be a pretty small place. 

Related posts: 

[11JU.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass Word Press Blogs Compromise 

[12] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[13] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

Hilary Kneber related activity: 

[14] The Kneber botnet - FAQ 


[15] Celebrity-Themed Scareware Campaign Abusing 
DocStoc 

[16] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[17] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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Spamvertised iTunes Gift Certificates and CV Themed 
Malware Campaigns (2010-05-13 20:16) 

What do the recently spamvertised [l]"Thank you for 
buying iTunes Gift Certificate!" and the "Look at my 
CV!" 

themed malware campaigns have in common? 

It's the fact that they've been launched by the same 
individual/gang. What's particularly interesting about the 
campaign, is that it's retying on a currently compromised 
web server, with a publicly accessible [2JPHP based 
backdoor. This exact [3]same approach is also used by 
the Koobface gang on a large scale, in order to efficiently 

[4]control the compromised sites involved in their 
Facebook spreading campaigns. 

Moreover, upon successful infection the campaign is not 
just pushing sea re ware, but evidence based on the 

binaries found within the directory indicate a ZeuS 
crimeware binary has been in circulation for a while. Let's 













dissect the campaign, and establish the obvious connection. 
Detection rates, phone back locations 

- iTunes certificate _497.exe - 

[5]TrojanDropper: Win32/0ficla.G - Result: 39/41 (95.12 %) 
Upon execution phones back to: 

- davidopolko.ru/migel/ bb.php?v=200 
&id=554905388 &b=6may &tm=3 

- jaazie.com/wp-inciudes 
/js/tinymce/themes/advanced/psihi.exe 

- phishi.exe - [6]Gen:Trojan.Heur.TP.bmX@bins2Eb; 
Backdoor.Win32.Protector.ao - Result: 24/41 (58.54 %) 
ultimately dropping sea re ware on the infected host. 

Both campaigns are related, since the use the same 
command and control server, which is periodically up¬ 
dated with new URLs consisting of compromised sites. The 
detection rates, phone back locations for the second 

campaign are as follows: 
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- My Resume _218.exe - [7]W32/Ofic\a.O; 
Gen:Variant.Bredo.4 - Result: 17/41 (41.46 %) 

Upon executing the same phones back to the following 
URLs, in an attempt to drop the related binaries: 


da vidopolko. ru/migel/bb.php ?v=200 

&id =636608811 

&b=12may 

&tm=2 


195.78.108.201 


Email: 

vadim. rinatovich@yandex. ru 

- topcarmitsubishi. com.br /_ vti _ bin/ _ vti 
adm/psi.exe -201.76.146.215 

- davidopolko.ru/psi.exe; davidopolko.ru 
7setupse2010. exe 

topcarmitsubishi.com.br appears to be a compromised 
site, with an open directory allowing the easier obtaining of 
the rest of the binaries used by the same gang/individual. 

Detection rates for the binaries within the open directory, 
including the dropped sea re ware: 

- psi.exe - [8]Trojan Down loader: Win32/Cutwail. gen!C; 
Backdoor.Win32.Protector.at- Result: 17/41 (41.47 %) 


-sofgold.exe - [9]Trojan.Fakealert.14822; W32/Junkcomp.A 
- Result: 15/41 (36.59 %) 



- sp.exe - [10]PW5:Win32/Zbot.gen!R; a variant of 
Win32/Kryptik.EGZ - Result: 5/41 (12.2%) 

- ustest.exe - [ll]Net-Worm. Win32.Kolab - Result: 4/41 
(9.76 %) 

- firewall.dll - [12]Trojan:Win32/Fakeinit; 
Win32/TrojanDownloader.FakeAlert.ASI - Result: 20/40 (50 
%) 

- SetupSE2010.exe - [13]W32/FakeAV.AM!genr; 
CoreGuardAntivirus2009 - Result: 29/41 (70.74 %) 
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Phone back locations, C &Cs of the 4 samples: 

[14fmystaticdatas.ru/basel/ess.cfg -195.88.144.63, 
A548984, 

VLAF-AS Vlaf Processing Ltd - Email: 

mail2businessman@gmail.com - [15]same email has 
been profiled before 

get-money-now. net/loads.php ? 

code=000000000048170 - 91.188.59.211, [16JAS6851, 
BKCNET "StA" IZZl - Email: noxim@maidsf.ru 

get-money-now.net/ firewall.dll 

get-money-now. net/cgi-bin/ware. cgi? 
adv=000000000048170 


mamapapalol.com/cgi-bin/get. pi? 


1=000000000048170 - 88.80.4.19AS33837, PRQ-AS - 
Email: 

secu- 

rity2guard@gmail. com 

SGTSRX.jackpotmsk.ru - FAST FLUX Email: 
alskudrya v@yandex. ru 

JETIHB.piterfml.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

UDUMOM.bingoforus.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

ZMOWOE.rusradiol.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

funnylive2010.ru - domain part of the fast flux 
infrastructure - Email: kurk@sovbiz.net 

wapdodoit.ru - domain part of the fast flux infrastructure - 
Email: sharan812@yandex.ru 
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Related domains parked on 88.80.4.19 

(mamapapalol. com/cgi-bin/get.pl? 
1=000000000048170): 

buy-is2010.com - Email: vasya@mail.ru 

buy-security-essentiais.com - Email: noxim@maidsf.ru 
for-sunny-se.com - Email: noxim@maidsf.ru 


for-sunny-smile.com - Email: vasya@mail.ru 
mega-scan-pc-newl4.com - Email: noxim@maidsf.ru 
red-xxx-tube.net - Email: noxim@maidsf.ru 
sunny-moneyl.com - Email: noxim@maidsf.ru 
winter-smile.com - Email: vasya@mail.ru 
megahostingl 0. com 

Updated will be posted, as soon as they switch to a new 
theme, introduce new monetization tactics. 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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The Avalanche Botnet and the TROYAK-AS Connection 
(2010-05-13 22:14) 


























According to the latest [ljAPWG Global Phishing Survey: 


• But by mid-2009, phishing was dominated by one player 
as never before the Avalanche phishing operation. This 

criminal entity is one of the most sophisticated and 
damaging on the Internet, and perfected a mass-production 

system for deploying phishing sites and "crimeware" - 
malware designed specifically to automate identity theft 
and facilitate unauthorized transactions from consumer 
bank accounts. Avalanche was responsible for two-thirds 
(66 %) of all phishing attacks launched in the second half of 
2009, and was responsible for the overall 

increase in phishing attacks recorded across the Internet." 

The [2]Avalanche botnet's ecosystem is described by 
PhishLabs as: 

• "[3]Cutwail aka Push Do is a spamming trojan being 
used to send out [4]massive amounts of spam with 
links (or lures) to phishing pages or pages that ask the 
users to download and run programs. Those programs 
invariably turn out to be instances of the 
[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also 
unrelated criminals 

that also use Zeus Trojans to steal online banking 
information that are not related to this set of scams. 

The Avalanche botnet is the middle-step between the 
spamming botnet and Trojans that steal banking informa¬ 
tion. It is basically a hosting platform used by the attackers. 
Because the Avalanche bots act as a simple proxy, and 



there are thousands of them, it has been exceedingly 
difficult to shutdown the phish pages. Instead most 

Anti-Phishing organizations have focused on shutting down 
the domain names that were used in the phishing 

URLs." 
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One of the most notable facts about the botnet, is their 
persistent interaction with the [6JTROYAK-AS cybercrime- 
friendly ISP, where they used to host a huge percentage of 
their ZeuS C &Cs, next to the actual client-side exploit 
serving iFra me domains/IPs, found on each and every of 
their phishing pages. The following chronology, exclusively 
details their client-side exploits/ZeuS crime ware serving 
campaigns. 

The Avalanche Botnet's ZeuS crimeware/client-side 
exploit serving campaigns > in chronological order: 

[7] Zeus Crimeware/Client-Side Exploits Serving Campaign in 
the Wild 

[8] Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[9] lRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild 

[lOJTax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[HJPhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 



[12] Facebook/AOL Update Tool Spam Campaign Serving 
Crime ware and Client-Side Exploits 

[13] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[14] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[15] Pushdo Injecting Bogus Swine Flu Vaccine 

[16] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[17] Ongoing FDiC Spam Campaign Serves Zeus Crimeware 

[18] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

Related articles on TROYAK-AS, and various 
cybercrime trends: 

[19JTR0YAK-AS: the cybercrime-friend iy ISP that just won't 
go away 

[20] AS-Troyak Exposes a Large Cybercrime Infrastructure 

[21] The current state of the crimeware threat - Q &A 

[22] Report: ZeuS crimeware kit, malicious PDFs drive 
growth of cybercrime 

[23] Report: Malicious PDF files comprised 80 percent of ail 
exploits for 2009 

This post has been reproduced from [24]Dancho 
Danchev's blog. Follow him [25]on Twitter. 
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httD.V/www.zdnet.com/bloa/securitv/reoort-malicious-odf- 

files-comorised-80-oercent-of-all-exDloits-for- 
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The Avalanche Botnet and the TROYAK-AS Connection 
(2010-05-13 22:14) 

According to the latest [1JAPWC Global Phishing Survey: 

• But by mid-2009, phishing was dominated by one player 
as never before the Avalanche phishing operation. This 

criminal entity is one of the most sophisticated and 
damaging on the Internet, and perfected a mass-production 

system for deploying phishing sites and "crimeware" - 
malware designed specifically to automate identity theft 
and facilitate unauthorized transactions from consumer 
bank accounts. Avalanche was responsible for two-thirds 
(66 %) of all phishing attacks launched in the second half of 
2009, and was responsible for the overall 

increase in phishing attacks recorded across the Internet." 

The [2]Avalanche botnet's ecosystem is described by 
PhishLabs as: 

• "[3]Cutwail aka Push Do is a spamming trojan being 
used to send out [4]massive amounts of spam with 
links (or lures) to phishing pages or pages that ask the 
users to download and run programs. Those programs 
invariably turn out to be instances of the 






[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also 
unrelated criminals 

that also use Zeus Trojans to steal online banking 
information that are not related to this set of scams. 

The Avalanche botnet is the middle-step between the 
spamming botnet and Trojans that steal banking informa¬ 
tion. it is basically a hosting platform used by the attackers. 
Because the Avalanche bots act as a simple proxy, and 
there are thousands of them, it has been exceedingly 
difficult to shutdown the phish pages. Instead most 

Anti-Phishing organizations have focused on shutting down 
the domain names that were used in the phishing 

URLs." 
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One of the most notable facts about the botnet, is their 
persistent interaction with the [6JTROYAK-AS cybercrime- 
friendly ISP, where they used to host a huge percentage of 
their ZeuS C &Cs, next to the actual client-side exploit 
serving iFra me domains/IPs, found on each and every of 
their phishing pages. The following chronology, exclusively 
details their client-side exploits/ZeuS crime ware serving 
campaigns. 

The Avalanche Botnet's ZeuS crimeware/client-side 
exploit serving campaigns, in chronological order: 

[7]Zeus Crimeware/Client-Side Exploits Serving Campaign in 
the Wild 



[8] 5careware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[9] lRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild 

[lOjTax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[HjPhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Facebook/AOL Update Tool Spam Campaign Serving 
Crime ware and Client-Side Exploits 

[13] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[14] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[15] Pushdo Injecting Bogus Swine Flu Vaccine 

[16] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[17] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[18] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

Related articles on TROYAK-AS, and various 
cybercrime trends: 

[19JTR0YAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[20]AS-Troyak Exposes a Large Cybercrime Infrastructure 



[21] The current state of the crimeware threat - Q &A 

[22] Report: ZeuS crimeware kit, malicious PDFs drive 
growth of cybercrime 

[23] Report: Malicious PDF files comprised 80 percent of all 
exploits for 2009 

This post has been reproduced from [24]Dancho 
Danchev's blog. Follow him [25]on Twitter. 
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Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

(2010-05-17 21:23) 

UPDATED Moday, May 24, 2010: The sea re ware 
domains/redirectors pushed by the Koobface botnet, have 
been 

included at the bottom of this post, including detection 
rates and phone back URLs. 

On May 13th, 2010, the Koobface gang responded to my " 

[1]10 things you didn't know about the Koobface 

gang " post published in February, 2010, by including the 
following message within Koobface-infected hosts, serving 
bogus video players, and, of course, sea re ware: 















• regarding this [2]article By Dancho Danchev / February 
23, 2010, 9:30am PST 

1. no connection 2 . what's reason to buy software just for 
one screenshot? 3 . no connection 4. :) 5 . :) 6 . :) 7. 

it was 'aii baba & 4' originally you should be more careful 
8. heh 9. strange error, there're no experiments on that 10. 
maybe, not 100 % sure 

AH Baba 13 may 2010 

This is the [3]second individual message left by the 
botnet masters for me, and the third one in general 
where I'm referenced. 

What makes an impression is their/his attempt to distance 
themselves/himself from major campaigns affect¬ 
ing high profile U.S based web properties, fraudulent 
activities such as dick fraud, and their/his attempt to 
legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware 
campaigns, and have never stolen any credit card details. 

01. [4]The gang is connected to, probably 
maintaining the dick-fraud facilitating Bahama 
botnet 

- Koobface gang: no connection 
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You wish, you wish. [5]ClickForensics pointed it out, [6]l 
confirmed it, and at a later stage reproduced it. 


Among the many examples of this activities, is MD5: 

Ofbfla9f8e6e305138151440da58b4fl modifying the 


HOSTS file on the infected PCs to [7]redirect all the 
Google and Yahoo search traffic to 89.149.210.109, 
whereas, in [8]between phoning back to well known 
[9]Koobface scareware C &Cs at the time, such as 
212.117.160.18, and urodinam .net/8732489273.php at 
the time. 

In May, 2010, parked on the very same IP to which 
urodinam.net (91.188.59.10) is currently responding to, 
is an active [10 fclient-side exploits serving campaign 
using the YES malware exploitation kit 

(Izabslwvn538n4i5tcjl.com - 

Email: michaeitycoon@gmaii. com). 

I can go on forever. 

02. [llJDespite their steady revenue flow from sales 
of scareware, the gang once used trial software to 
take a screenshot of a YouTube video 

- Koobface gang: what's reason to buy software just for one 
screenshot? 
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No reason at all, I guess that's also the reason behind the 
temporary change in [12]scareware URIs to include 
GREED within the file name. 

03. [13]The Koobface gang was behind the 
malvertising attack the hit the web site of the New 
York Times 



in September 

- Koobface gang: no connection 
You wish, you wish. 

In fact, several of the recent high-profile malvertising 
campaigns that targeted major Web 2.0 properties, can 

be also traced back to their infrastructure. Now, whether 
they are aware of the true impact of the maivertisement 
campaign, and whether they are intentionally pushing it at 
a particular web site remains unknown. 

The fact is that, the exact [14]same domain that was 
used in the NYTimes redirection, was also back then 

embedded on all of the Koobface infected hosts, in 

order to serve sea re ware. 


04. 


[15]The gang conducted a several hours experiment 
in November, 2009 when for the first time ever 

client-side exploits were embedded on Koobface¬ 
serving compromised hosts 

- Koobface gang::) 

He who smiles last, smiles best. 

05. [16]The Koobface gang was behind the massive 
(1+ million affected web sites) scareware serving 
cam¬ 


paign in November, 2009 



- Koobface gang::) 


Since they're admitting their involvement in point 5, they 
also don't know/forget that one of the many ways 

the [17]connection between the Koobface gang and 
massive blackhat SEO campaign was established in 
exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of 
involvement in high-profile campaigns means nothing when 
collected data speaks for itself 

06. [18]The Koobface Gang Monetizes Mac OS X 
Traffic through adult dating/Russian online movie 
market¬ 
places 

- Koobface gang::) 

Read more on the practice - " [19] How the Koobface 
Gang Monetizes Mac OS X Traffic 
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07. [20]Aii Baba and 40 LLC a.k.a the Koobface gang 
greeted the security community on Christmas 

- Koobface gang: it was 'ali baba & 4' originally you should 
be more careful 

Since the original [21 ]Ali Baba had 40 thieves with him, 

not 4, the remaining 36 can be best described as the 


cybee rime ecosystem's stakeholders earning revenues and 
having their business models scaling, thanks to the 

involvement of the Koobface botnet. 

08. [22]The Koobface gang once redirected 
Facebook's IP space to my personal blog 

- Koobface gang: heh 

Read more on the topic - " [23]Koobface Botnet 
Redirects Facebook's IP Space to my Blog ". 

09. [24]The gang is experimenting with alternative 
propagation strategies, such as for instance Skype 
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- Koobface gang: strange error, there're no experiments on 
that 

Hmm, who should I trust? [25]SophosLabs and 
[26]TrendMicro or the Koobface gang? SophosLabs and 
Trend Micro or the Koobface gang? Soph os Labs and 
Trend Micro or....well you get the point. Of course there isn't, 
now that's is publicly known it's in the works. 

10. [27]The gang is monetizing traffic through the 
Crusade Affiliates scareware network 

- Koobface gang: maybe, not 100 % sure 

They don't know where they get ail the money by being 
pushing scareware? How convenient. 


When data and facts talk, even "CyberJesus" listens. Read 
more on the monetization model - " [28]Koobface 
Botnet's Scareware Business Model " [29]Koobface 
Botnet's Scareware Business Model - Part Two ". 

The Koobface botnet is currently pushing scareware through 

2gig-antivirus.com?mid=312 &code=4dbl2f &d=l 

&s=2 -195.5.161.210 - Email: test@now.net.cn 
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Parked on the same IP (195.5.161.210, A531252, 5TARNET¬ 
AS StarNet Moldova) are also: 

Oweb-antispyware.com - Email: test@now.net.cn 

12netantispy.com - Email: test@now.net.cn 

13netantispy.com - Email: test@now.net.cn 

14netantispy.com - Email: test@now.net.cn 

16netantispy.com - Email: test@now.net.cn 

lanetantispy.com - Email: test@now.net.cn 

lbnetantispy.com - Email: test@now.net.cn 

lgb-scanner.com - Email: test@now.net.cn 

lgig-antivirus.com - Email: test@now.net.cn 

lwebantivirus.com - Email: test@now.net.cn 

20gb-antivirus.com - Email: test@now.net.cn 


2gb-scanner.com - Email: test@now.net.cn 
2gig-antivirus.com - Email: test@now.net.cn 
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2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net. 
3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4gb-scanner.com - Email: test@now.net.cn 
4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 



5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 

- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - 
Result: 15/40 (37.5 %) 

- MalvRem 312s2.exe - [31]W32/FakeAlert.5!Maximus; 
Trojan. Win32.FakeAV - Result: 10/41 (24.4 %) which once 
executed phones back to: 



- slsystem.com/download/winlogo.bmp - 

91.213.157.104, AS 13618, CARONET-AS - Email: 
con ta ct@priva cy- 

protect.cn 

- networkilO.com - 91.213.217.106, AS42473, ANEXIA-AS 

- Email: contact@privacy-protect.cn 

UPDATED: Wednesday, May 19, 2010 : 

The current redirection taking place through the embedded 
link on Koobface infected hosts, takes place through: 

www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, 
VITAL TEKNOLOJI 

- wwwl.fastsearch.cz.cc - 207.58.177.96 - AS25847, 
SERVINT Servlnt Corporation 

Detection rates: 

- setup.exe - [32]Win32/Koobface.NCX; 

Gen:Variant.Koobface.2 - Result: 13/41 (31.71 %) 

- packupdate buildl07 2039.exe - 

[33]W32/FakeAV.AM!genr; Mai/FakeAV-AX - Result: 8/41 
(19.52 %) 
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Upon execution, the scareware sample phones back to: 

updatel.myownguardian.com - 94.228.209.223, 
AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl 


update2.myownguardian.net - 93.186.124.92, A544565, 
VITAL TEKNOLOJl - Email: gkook@checkjemail.nl 

UPDATED Moday, May 24, 2010 : 

The following Koobface sea reware domains/redirectors have 
been pushed 

by the Koobface gang over the pat 7 days. All of them 
continue using the services of AS31252, STARNET-AS 
StarNet Moldova at 195.5.161.210 and 
195.5.161.211. 

Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
15netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
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lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 
leliminatespy.com - Email: test@now.net.cn 



leliminatethreats.com - Email: test@now.net.cn 
leiiminatevirus.com - Email: test@now.net.cn 
lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfilterlOOO.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
3www-antispyware.com - Email: test@now.net.cn 
3www-antivirus.com - Email: test@now.net.cn 



40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 



barracudalO.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 
beguardsystem2.com - Email: test@now.net.cn 
bewareofthreat.com - Email: test@now.net.cn 
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bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 



eliminatespy.com - Email: test@now.net.cn 
eliminatethreat.com - Email: test@now.net.cn 
eiiminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 
house2call.com - Email: test@now.net.cn 
house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
ldefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 
nova3-antispyware.com - Email: test@now.net.cn 



nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 
nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirusl.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 
novascanner7.com - Email: test@now.net.cn 
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nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 
pcguardsystem2.com - Email: test@now.net.cn 



pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 
pitstopscan.com - Email: test@now.net.cn 
protectionfunctions.com - Email: test@now.net.cn 
protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 
protectionprincipies.com - Email: test@now.net.cn 
protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekiiiera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 
spywarekillerr.com - Email: test@now.net.cn 



spywarekillerz5.com - Email: test@now.net.cn 
stainsscanner2.com - Email: test@now.net.cn 
stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiller3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfilterlOO.com - Email: test@now.net.cn 
webfilter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 
z23windows-scan.com - Email: test@now.net.cn 



z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 
zaresearchsecurity.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [34]Net-Worm:W32/Koobface.HN; 
Mai/Koobface-D - Result: 11/41 (26.83 %) 
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- avdistr_312.exe - [35]Trojan.FakeAV!gen24; 

Trojan.FakeAV - Result: 8/41 (19.52 %) 

Upon execution phones back to: 

slsystem.com/do wnload/winlogo. bmp - 

91.213.157.104 - Email: contact@privacy-protect.cn 

accsupdate.com/?b=l 03si -193.105.134.115 - Email: 
contact@privacy-protect. cn 

Previous parked on 91.213.217.106, A542473 ’ ANEXIA-AS 
now responding to 193.105.134.115, AS42708, PORTLANE: 

networkilO.com - Email: contact@privacy-protect.cn 

winsecuresoftorder.com - Email: contact@privacy- 
protect.cn 

time-zoneserver.com - Email: contact@privacy-protect.cn 

lbiacklist.com - Email: contact@privacy-protect.cn 

In order to understand the importance of profiting Koobface 
gang's activities, consider going their their underground 



multitasking campaigns in the related posts. 

Related Koobface botnet/Koobface gang research: 

[3 6] From the Koobface Gang with Sea re ware Serving 
Compromised Sites 

[37] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[38] Koobface Redirectors and Sea re ware Campaigns Now 
Fiosted in Moldova 

[39] 10 things you didn't know about the Koobface gang 

[40] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[41 ]Fiow the Koobface Gang Monetizes Mac OS X Traffic 

[42] The Koobface Gang Wishes the Industry "Fiappy 
Fi olid ays" 

[43] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[44] Koobface Botnet Starts Serving Client-Side Exploits 

[45] Massive Sea re ware Serving Biackhat SEO, the Koobface 
Gang Style 

[46] Koobface Botnet's Scareware Business Model - Part Two 

[47] Koobface Botnet's Scareware Business Model - Part One 

[48] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 



[49] New Koobface campaign spoofs Adobe's Flash updater 

[50] Social engineering tactics of the Koobface botnet 

[51] Koobface Botnet Dissected in a Trend Micro Report 

[52] Movement on the Koobface Front - Part Two 

[53] Movement on the Koobface Front 

[54] Koobface - Come Out, Come Out, Wherever You Are 

[55] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [56]Dancho 
Danchev's blog. Follow him [57]on Twitter. 
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18. httoV/www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452 
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21. htto://en. wikipedia.ora/wiki/Ali_Baba 
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Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

(2010-05-17 21:23) 

UPDATED Moday, May 24, 2010: The sea re ware 
domains/redirectors pushed by the Koobface botnet, have 
been 

included at the bottom of this post, including detection 
rates and phone back URLs. 

On May 13th, 2010, the Koobface gang responded to my " 

[1]10 things you didn't know about the Koobface 

gang " post published in February, 2010, by including the 
following message within Koobface-infected hosts, serving 
bogus video players, and, of course, sea re ware: 















• regarding this [2]article By Dancho Danchev / February 
23, 2010, 9:30am PST 

1. no connection 2 . what's reason to buy software just for 
one screenshot? 3. no connection 4. :) 5. :) 6. :) 7. 

it was 'aii baba & 4' originally you should be more careful 
8. heh 9. strange error, there're no experiments on that 10. 
maybe, not 100 % sure 

AH Baba 13 may 2010 

This is the [3]second individual message left by the 
botnet masters for me, and the third one in general 
where I'm referenced. 

What makes an impression is their/his attempt to distance 
themselves/himself from major campaigns affect¬ 
ing high profile U.S based web properties, fraudulent 
activities such as dick fraud, and their/his attempt to 
legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware 
campaigns, and have never stolen any credit card details. 

01. [4]The gang is connected to, probably 
maintaining the dick-fraud facilitating Bahama 
botnet 

- Koobface gang: no connection 
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You wish, you wish. [5]ClickForensics pointed it out, [6]l 
confirmed it, and at a later stage reproduced it. 


Among the many examples of this activities, is MD5: 

Ofbfla9f8e6e305138151440da58b4fl modifying the 


HOSTS file on the infected PCs to [7]redirect all the 
Google and Yahoo search traffic to 89.149.210.109, 
whereas, in [8]between phoning back to well known 
[9]Koobface scareware C &Cs at the time, such as 
212.117.160.18, and urodinam .net/8732489273.php at 
the time. 

In May, 2010, parked on the very same IP to which 
urodinam.net (91.188.59.10) is currently responding to, 
is an active [10 fclient-side exploits serving campaign 
using the YES malware exploitation kit 

(Izabslwvn538n4i5tcjl.com - 

Email: michaeitycoon@gmaii. com). 

I can go on forever. 

02. [llJDespite their steady revenue flow from sales 
of scareware, the gang once used trial software to 
take a screenshot of a YouTube video 

- Koobface gang: what's reason to buy software just for one 
screenshot? 
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No reason at all, I guess that's also the reason behind the 
temporary change in [12]scareware URIs to include 
GREED within the file name. 

03. [13]The Koobface gang was behind the 
malvertising attack the hit the web site of the New 
York Times 



in September 

- Koobface gang: no connection 
You wish, you wish. 

In fact, several of the recent high-profile malvertising 
campaigns that targeted major Web 2.0 properties, can 

be also traced back to their infrastructure. Now, whether 
they are aware of the true impact of the maivertisement 
campaign, and whether they are intentionally pushing it at 
a particular web site remains unknown. 

The fact is that, the exact [14]same domain that was 
used in the NYTimes redirection, was also back then 

embedded on all of the Koobface infected hosts, in 

order to serve sea re ware. 


04. 


[15]The gang conducted a several hours experiment 
in November, 2009 when for the first time ever 

client-side exploits were embedded on Koobface¬ 
serving compromised hosts 

- Koobface gang::) 

He who smiles last, smiles best. 

05. [16]The Koobface gang was behind the massive 
(1+ million affected web sites) scareware serving 
cam¬ 


paign in November, 2009 



- Koobface gang::) 


Since they're admitting their involvement in point 5, they 
also don't know/forget that one of the many ways 

the [17]connection between the Koobface gang and 
massive blackhat SEO campaign was established in 
exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of 
involvement in high-profile campaigns means nothing when 
collected data speaks for itself 

06. [18]The Koobface Gang Monetizes Mac OS X 
Traffic through adult dating/Russian online movie 
market¬ 
places 

- Koobface gang::) 

Read more on the practice - " [19] How the Koobface 
Gang Monetizes Mac OS X Traffic 
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07. [20]Aii Baba and 40 LLC a.k.a the Koobface gang 
greeted the security community on Christmas 

- Koobface gang: it was 'ali baba & 4' originally you should 
be more careful 

Since the original [21 ]Ali Baba had 40 thieves with him, 

not 4, the remaining 36 can be best described as the 


cybee rime ecosystem's stakeholders earning revenues and 
having their business models scaling, thanks to the 

involvement of the Koobface botnet. 

08. [22]The Koobface gang once redirected 
Facebook's IP space to my personal blog 

- Koobface gang: heh 

Read more on the topic - " [23]Koobface Botnet 
Redirects Facebook's IP Space to my Blog ". 

09. [24]The gang is experimenting with alternative 
propagation strategies, such as for instance Skype 
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- Koobface gang: strange error, there're no experiments on 
that 

Hmm, who should I trust? [25]SophosLabs and 
[26]TrendMicro or the Koobface gang? SophosLabs and 
Trend Micro or the Koobface gang? Soph os Labs and 
Trend Micro or....well you get the point. Of course there isn't, 
now that's is publicly known it's in the works. 

10. [27]The gang is monetizing traffic through the 
Crusade Affiliates scareware network 

- Koobface gang: maybe, not 100 % sure 

They don't know where they get ail the money by being 
pushing scareware? How convenient. 


When data and facts talk, even "CyberJesus" listens. Read 
more on the monetization model - " [28]Koobface 
Botnet's Scareware Business Model " [29]Koobface 
Botnet's Scareware Business Model - Part Two ". 

The Koobface botnet is currently pushing scareware through 

2gig-antivirus.com?mid=312 &code=4dbl2f &d=l 

&s=2 -195.5.161.210 - Email: test@now.net.cn 
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Parked on the same IP (195.5.161.210, A531252, 5TARNET¬ 
AS StarNet Moldova) are also: 

Oweb-antispyware.com - Email: test@now.net.cn 

12netantispy.com - Email: test@now.net.cn 

13netantispy.com - Email: test@now.net.cn 

14netantispy.com - Email: test@now.net.cn 

16netantispy.com - Email: test@now.net.cn 

lanetantispy.com - Email: test@now.net.cn 

lbnetantispy.com - Email: test@now.net.cn 

lgb-scanner.com - Email: test@now.net.cn 

lgig-antivirus.com - Email: test@now.net.cn 

lwebantivirus.com - Email: test@now.net.cn 

20gb-antivirus.com - Email: test@now.net.cn 


2gb-scanner.com - Email: test@now.net.cn 
2gig-antivirus.com - Email: test@now.net.cn 
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2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net. 
3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4gb-scanner.com - Email: test@now.net.cn 
4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 



5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 

- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - 
Result: 15/40 (37.5 %) 

- MalvRem 312s2.exe - [31]W32/FakeAlert.5!Maximus; 
Trojan. Win32.FakeAV - Result: 10/41 (24.4 %) which once 
executed phones back to: 



- slsystem.com/download/winlogo.bmp - 

91.213.157.104, AS 13618, CARONET-AS - Email: 
con ta ct@priva cy- 

protect.cn 

- networkilO.com - 91.213.217.106, AS42473, ANEXIA-AS 

- Email: contact@privacy-protect.cn 

UPDATED: Wednesday, May 19, 2010 : 

The current redirection taking place through the embedded 
link on Koobface infected hosts, takes place through: 

www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, 
VITAL TEKNOLOJI 

- wwwl.fastsearch.cz.cc - 207.58.177.96 - AS25847, 
SERVINT Servlnt Corporation 

Detection rates: 

- setup.exe - [32]Win32/Koobface.NCX; 

Gen:Variant.Koobface.2 - Result: 13/41 (31.71 %) 

- packupdate buildl07 2039.exe - 

[33]W32/FakeAV.AM!genr; Mai/FakeAV-AX - Result: 8/41 
(19.52 %) 
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Upon execution, the scareware sample phones back to: 

updatel.myownguardian.com - 94.228.209.223, 
AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl 


update2.myownguardian.net - 93.186.124.92, A544565, 
VITAL TEKNOLOJl - Email: gkook@checkjemail.nl 

UPDATED Moday, May 24, 2010 : 

The following Koobface sea reware domains/redirectors have 
been pushed 

by the Koobface gang over the pat 7 days. All of them 
continue using the services of AS31252, STARNET-AS 
StarNet Moldova at 195.5.161.210 and 
195.5.161.211. 

Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
15netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
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lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 
leliminatespy.com - Email: test@now.net.cn 



leliminatethreats.com - Email: test@now.net.cn 
leiiminatevirus.com - Email: test@now.net.cn 
lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfilterlOOO.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
3www-antispyware.com - Email: test@now.net.cn 
3www-antivirus.com - Email: test@now.net.cn 



40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 



barracudalO.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 
beguardsystem2.com - Email: test@now.net.cn 
bewareofthreat.com - Email: test@now.net.cn 
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bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 



eliminatespy.com - Email: test@now.net.cn 
eliminatethreat.com - Email: test@now.net.cn 
eiiminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 
house2call.com - Email: test@now.net.cn 
house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
ldefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 
nova3-antispyware.com - Email: test@now.net.cn 



nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 
nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirusl.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 
novascanner7.com - Email: test@now.net.cn 
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nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 
pcguardsystem2.com - Email: test@now.net.cn 



pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 
pitstopscan.com - Email: test@now.net.cn 
protectionfunctions.com - Email: test@now.net.cn 
protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 
protectionprincipies.com - Email: test@now.net.cn 
protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekiiiera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 
spywarekillerr.com - Email: test@now.net.cn 



spywarekillerz5.com - Email: test@now.net.cn 
stainsscanner2.com - Email: test@now.net.cn 
stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiller3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfilterlOO.com - Email: test@now.net.cn 
webfilter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 
z23windows-scan.com - Email: test@now.net.cn 



z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 
zaresearchsecurity.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [34]Net-Worm:W32/Koobface.HN; 
Mai/Koobface-D - Result: 11/41 (26.83 %) 

1359 

- avdistr_312.exe - [35]Trojan.FakeAV!gen24; 

Trojan.FakeAV - Result: 8/41 (19.52 %) 

Upon execution phones back to: 

slsystem.com/do wnload/winlogo. bmp - 

91.213.157.104 - Email: contact@privacy-protect.cn 

accsupdate.com/?b=l 03si -193.105.134.115 - Email: 
contact@privacy-protect. cn 

Previous parked on 91.213.217.106, A542473 ’ ANEXIA-AS 
now responding to 193.105.134.115, AS42708, PORTLANE: 

networkilO.com - Email: contact@privacy-protect.cn 

winsecuresoftorder.com - Email: contact@privacy- 
protect.cn 

time-zoneserver.com - Email: contact@privacy-protect.cn 

lbiacklist.com - Email: contact@privacy-protect.cn 

In order to understand the importance of profiting Koobface 
gang's activities, consider going their their underground 



multitasking campaigns in the related posts. 

Related Koobface botnet/Koobface gang research: 

[3 6] From the Koobface Gang with Sea re ware Serving 
Compromised Sites 

[37] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[38] Koobface Redirectors and Sea re ware Campaigns Now 
Fiosted in Moldova 

[39] 10 things you didn't know about the Koobface gang 

[40] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[41 ]Fiow the Koobface Gang Monetizes Mac OS X Traffic 

[42] The Koobface Gang Wishes the Industry "Fiappy 
Fi olid ays" 

[43] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[44] Koobface Botnet Starts Serving Client-Side Exploits 

[45] Massive Sea re ware Serving Biackhat SEO, the Koobface 
Gang Style 

[46] Koobface Botnet's Scareware Business Model - Part Two 

[47] Koobface Botnet's Scareware Business Model - Part One 

[48] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 



[49] New Koobface campaign spoofs Adobe's Flash updater 

[50] Social engineering tactics of the Koobface botnet 

[51] Koobface Botnet Dissected in a Trend Micro Report 

[52] Movement on the Koobface Front - Part Two 

[53] Movement on the Koobface Front 

[54] Koobface - Come Out, Come Out, Wherever You Are 

[55] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [56]Dancho 
Danchev's blog. Follow him [57Jon Twitter. 
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Inside a Commercial Chinese DIY DDoS Tool (2010-05- 
26 13:55) 

One of the most commonly used tactics by shady online 
enterprises wanting to position themselves as legitimate 

ones ([l]Shark2 - RAT or Malware? ), is to promote 
malicious software or Denial of Service attack tooks, as 
remote access control tools/stress testing tools. 

Chinese "vendors" of such releases are particularly 
interesting, since their front pages always position the tool 
as a 100 % legitimate one, whereas going through the 
documentation, and actually testing its features reveals its 
true malicious nature. Moreover, once the vendor starts 
trusting you - like the one whose DDoS tool is profiled in 
this post - you're given access to the private section of their 
forum, where they are directly pitching you with DDoS 















for hire propositions, starting from $100 for 24 hours 
of non-stop flood. 

• Related post: [2] Massive SQL Injection Attacks - the 
Chinese Way 

In this post I'll review what's currently being promoted as 
"The World's Leading DDoS Testing System", which is 
basically an improved version of a well known " Netbot 
Attacker", an old school release whose source code 

([3]Localizing Open Source Malware; [4]Custom DDoS 
Capabilities Within a Malware; [5]Custom DDoS 
Attacks Within Popular Malware Diversifying) is 

greatly favored by Chinese hacktivists and script kiddies, 
based on the multiple modifications they've introduced in it 
using the original source code. 
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Interestingly, the "vendor" is offering value-added services 
in the form of managed command and control server 
changes, the typical managed binary obfuscation, as well as 
custom features, removal of features in an 

attempt to decrease the size of the binary, but most 
importantly, they use differentiated pricing methods for 
their tool. Educational institutions, small businesses and 
home office clients can get special prices. 

• Why would the vendor include anti sandboxing 
capabilities in the latest version of the tool? 

• Why would the vendor also include P2P spreading and 
USB spreading modules? 

Because the tool is anything but your typical stress testing 
tool. 



Perhaps, one of the most important developments 
regarding this vendor, is that this is among the few 
ex¬ 
amples that I'm aware of where [6]Chinese hackers 
known not to care about anything else but virtual 
goods, are vertically integrating by experimenting 
with early-state banking malware. 

An excerpt from the banking experiment: 

" MS-recorder to wear all the safety test shows the major 
B2C online banking security controls: Received after the 
first test colt extracting file, which has ma.exe procedures. 
As the tests are over Please turn off antivirus software and 
security software testing. . . 

Wear all safety major B2C online banking security 
controls currently supports more than can be 
intercepted 

more than 160 online online payment platform And 
major online banking. After running ma.exe can log on to 
the respective online banking program Alipay paypal or 
procedures to test, test and test interception of information 
stored in the pony 

The same directory, Test will generate Jlz-1, Jlz-2, Jiz-3 ... 
folder, such files in the folder will be l.bmp, 2.bmp, 3.bmp 
... picture, or there txt Notepad, view the. txt and picture, 
get the interception of data and information. Test window 
will prompt pony run, test interception of information larger, 
there is no written function. To solve the above problem, 
please purchase the official version, run silent, run 
automatically delete itself, no process at startup, had all 
killed, the interception of information 



Expected small size, with letters function. VIP version of the 
generator purchase one year of free updates, free to kill 
three months to buy the colt package. Set the FTP 
transmission method to send the interception of STM P FTP. 

Perfect information theft can steal all the passwords and 
related information, such as: QQ, ICQ, Yahoo Messenger, 
Vicq, OutLook, FlashFXP, PayPal, E-mail and paypai (no 
security control), Legend, mercenary legend, Journey to the 
West, etc. (include account number, area and other relevant 
information), of course, the same information on the page 
steal, such as: mail, forums, dose protection, and other 
(including user name, password and other related 
information), or even playing in the diagram, Password chip 
can, because it can record the keyboard and mouse actions. 
It is worth mentioning that, no matter what way you enter 
the password (such as Paste from somewhere, then paste 
the part of the input part, the number before the 0, 
deliberately enter the wrong password first and then delete 
the wrong part, etc.) Adopted the "filters" which makes 
stealing the contents do not appear out of "junk" in precise 
steal... The correct password." 

Clearly, these folks are not just inspired to continue 
introducing new features within the tool, but are starting to 
realize the potential of the crime ware market, with the 
vendor itself representing a good example on how once it 
was allowed to continue operations, it's naturally evolving 
in the worst possible direction. The author of ZeuS, 
however, shouldn't feel endangered in any way. 

Screenshots of the DIY DDoS Platform, including the 
multiple versions offers, VIP, sample custom made 
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Detection rates for the publicly obtainable builders 
of multiple versions: 

- MS.exe - [7]Backdoor Hupigon.AAAH - Result: 26/40 (65 
%) 

- msn.exe - [8]Win32.BD5Poison.Cpd - Result: 36/41 (87.81 
%) 

- test.exe (crimeware experiment) - [9]Hacktool.Rootkit - 
Result: 24/41 (58.54 %) 

- msl.exe - [lOJBackdoor. Win32 .Black Hole - Result: 13/41 
(31.71 %) 

- msl.exe - [ll]W32/Hupigon.gen227; 

Backdoor.Hupigon.AAAH - Result: 35/41 (85.37 %) 

Based on the profiling the localization of this tool to Chinese 
since 2007, the diversification of the DDoS at¬ 
tacks introduced in it by Chinese coders ([12]Localizing 
Open Source Malware; [13]Custom DDoS Capabilities 
Within a Malware; [14]Custom DDoS Attacks Within 
Popular Malware Diversifying), perhaps the most 
important conclusion that can be drawn is that, tolerating 
their activities in the long term results in the development 
of more sophisticated capabilities which can now be offered 
to a well established customer base. 

If Chinese hacktivists managed to take CNN.com offline 

([15]The DDoS Attack Against CNN.com; [16]Chinese 
Hacktivists Waging People's Information Warfare 
Against CNN) using nothing else but ping flooders/iFrames 
loading multiple copies of the site, the collectivist response 


in a future incident using these much more sophisticated 
tools - 

sophisticated in sense of the diverse set of DDoS attacks 
offered - is prone to be much more effective. 

Related Chinese hacking scene/hacktivism coverage 

[17] Localizing Open Source Malware 
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[18] Custom DDoS Capabilities Within a Malware 

[19] Custom DDoS Attacks Within Popular Malware 
Diversifying 

[20] The FirePack Exploitation Kit Localized to Chinese 
[21 JMPack and IcePack Localized to Chinese 

[22] Massive SQL Injection Attacks - the Chinese Way 

[23] A Chinese DIY Multi-Feature Malware 
[24JDIY Chinese Passwords Stealer 

[25] A Chinese Malware Downloader in the Wild 

[26] Chinese Flackers Attacking U.S Department of Defense 
Networks 

[27] Chinese Flacktivists Waging People's Information 
Warfare Against CNN 

[28] The DDoS Attack Against CNN.com 
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Spamvertised Client-Side Exploits Serving Adult 
Content Themed Campaign (2010-05-28 15:29) 

There's no such thing as free porn, unless there are client- 
side exploits in the unique value proposition's mix. 

A currently spamvertised campaign is doing exactly the 
same, in between relying on the recent [1JCVE-2010- 

0886 vulnerability Let's dissect the campaign, and 
combine the assessment with historical OSINT data, given 
the fact that the 2nd phone back location, including the 
binary hosted there are currently down. 

• Key summary point: although the exploitation is taking 
place, the campaign is currently failing to drop actual 
binary, returning NOEXEFILE error message. The post will be 
updated once the situation changes. 

a 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 

1. htto://cve.mitre.or a/c ai-bin/cvename.cai?name=CVE- 
2010-0886 

2. htto://ddanchev.blo as oot. com/ 

3. http://twitter.com/danchodanchev 
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Summarizing Zero Day's Posts for May (2010-05-31 
18:40) 

The following is a brief summary of all of my posts at 

[IJZDNet's Zero Day for May, 2010. You [2Jean also go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personal RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [6]Should a targeted country strike back at the cyber 
attackers? 

• [7]HotmaiTs new security features i/s Gmail's old security 
features 
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• [8]5tudy finds the average price for renting a botnet 

• [9]5 reasons why the proposed ID scheme for Internet 
users is a bad idea 

01. [lOJFoxit Reader intros new Safe Reading feature 

02. [llJShould a targeted country strike back at the cyber 
attackers7 

03. [12]Malware Watch: iTunes gift certificates, Skype 
worm, fake CVs and greeting cards 

04. [13]Wardriving police: password protect your wireless, 
or face a fine 

05. [14]Research: 1.3 million malicious ads viewed daily 



06. [15]Malware Watch: Rogue Facebook apps, fake 
Amazon orders, and bogus Adobe updates 

07. [16]Hotmail's new security features i/s Gmail's old 
security features 

08. [17]5tudy finds the average price for renting a botnet 

09. [18]5 reasons why the proposed ID scheme for Internet 
users is a bad idea 

This post has been reproduced from [19]Dancho 
Danchev's blog. Follow him [20]on Twitter. 
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proposed-id-scheme-for-internet-users-is-a-bad-idea/ 
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Vendor of Mobile Spying Apps Drives Biz Model 
Through DIY Generators (2010-06-03 15:09) 

It's always worth monitoring the developments in the 
commercial mobile spying apps space. In particular, the 

inevitable customerization/customization of their services. 

A shady vendor of such applications, is attempting to 
migrate from the mass market model of competing ven¬ 
dors, by offering its potential customers to ability to 
generate their own .sis files, for the spying app targeting 
Symbian OS 9 platform. The DIY features also include [l]the 
ability to self sign their own certificates. The price tag? 

A hefty price tag of £3000, and no refunds offered. 
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What's their true motivation behind the release of the DIY 
generation tool? It appears that they are primarily 





interested with scaling their business operations, allowing 
potential resellers the option to automatically generate the 
spying apps. Although the self-signing certificate option is 
interesting, mobile [2]malware authors continue 
abusing Symbian Foundation's certificate signing 
process, surprisingly, by using bogus company names with 
no public reference of their existence. 

Thanks to the improving monetization models for mobile 
malware (e.g. 

calling/SMSing premium rate num¬ 
bers), mobile malware authors are only starting to 
realize/abuse the potential of the micro payments market 

segment. 

Related posts on mobile malware: 

[3] The future of mobile malware - digitally signed by 
Symbian? 

[4] Commercial spying app for Android devices released 

[5] iHacked: jail broken iPhones compromised, $5 ransom 
demanded 

[6] New Symbian-based mobile worm circulating in the wild 

[7] New mobile malware silently transfers account credit 

[8] Transmitter.C mobile malware spreading in the wild 

[9] Transmitter.C Mobile Malware in the Wild 

[lOJProof of Concept Symbian Malware Courtesy of the 
Academic World 



[llJCommercializing Mobile Malware 

[12] Mobile Malware Scam iSexPlayer Wants Your Money 

Related posts on SMS Ransomware: 

[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Mac OS X SMS ransomware - hype or real threat? 
[15JSMS Ransomware Displays Persistent Inline Ads 

[16] 6th SMS Ransomware Variant Offered for Sale 

[17] 5th SMS Ransomware Variant Offered for Sale 

[18] 4th SMS Ransomware Variant Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 
[20JSMS Ransomware Source Code Now Offered for Sale 
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Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign - Part Two (2010-06-03 
18:56) 

UPDATED: Sunday, June 06, 2010. 

The new redirections currently take place through 

www4.greatav40-td.co.cc/?uid=213 &pid=3 
&ttl=51545746f5c (93.190.141.40) and 
wwwl.avscaner-40pr.co.cc (217.23.5.52). 

Parked on 93.190.141.40, A549981, WorldStream are also: 

www3.justsoftl 2-td. co. cc 
www3. donrart55-td. co. cc 


www3. donrart5 7-td. co. cc 

















www3. donrart59-td. co. cc 


www4. s win termz. cz. cc 
www3. goldvox-50td.xorg.pl 
www3. goldvox-60td.xorg.pl 
www3. goldvox-52td.xorg.pl 
www3. goldvox-54 td.xorg.pl 
www3. goldvox-64 td.xorg.pl 
www3. goldvox-56td.xorg.pl 
www3. goldvox-58td.xorg.pl 
wwwl. check-sa veyour-pc-no w. in 
wwwl. in-safe-keepmyzone. in 
wwwl. makesafe-scan-forsure. com 
Detection rate: 

- p a ckupdate107 213.exe - [ 1 ]Trojan. Fake alert, origin; 
Mal/FakeAV-BW - Result: 12/41 (29.27 %) 
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Upon execution, the sample phones back to: 

updatel.free-guard.com - 95.169.186.25; 188.124.5.64 - 
Email: gkook@checkjemail.nl 


update2.protect-helper.com - 78.159.108.170 - Email: 
gkook@checkjemaU. nl 

secure2.protectzone.net - 91.207.192.24 - Email: 
gkook@checkjemaii. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

update2.free-guard.net - Email: gkook@checkjemail.nl 

report.land-protection.com -188.124.7.156 - Email: 
gkook@checkjemail. nl 

report.goodguardz.com - 93.186.124.94 - Email: 
gkook@checkjemaU. nl 

report.zoneguardland.com - 93.186.124.91 - Email: 
gkook@checkjemaU. nl 

reportl.stat-mx.xorg.pl -109.196.132.41 - Email: 
gkook@checkjemail. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemaii. nl 

74.125.45.100 

74.82.216.3 

Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 
188.124.5.64 (AS44565, VITAL TEKNOLOJI) are also: 



www3.justsoftl 1-td. co. cc 
www3.justsoftl 2-td. co. cc 
www4. s win termz. cz. cc 
www4. trustzonel 7-td. xorg.pl 
www3. coantys-41td.xorg.pl 
www3. coantys-42td.xorg.pl 
www3. coantys-46td.xorg.pl 
www4. miymiy3. com 
upda tel. free-guard. com 
useguard.com 
updatel.useguard.com 
www2. a vcleaner30-pd. co. cc 
wwwl. fa vorita v30-pd. co. cc 
www2. a vcleaner32-pd. co. cc 
www2. a vcleaner34-pd. co. cc 
wwwl. fa vorita v34-pd. co. cc 
www2. a vcleaner36-pd. co. cc 
wwwl. fa vorita v36-pd. co. cc 
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www3. a vprotector54-td.xorg.pl 
www3. a vprotector56-td.xorg.pl 
upda tel. free-guard. com 
updatel. winsystemupdates.com 

Remember the massive blackhat SEO campaign using U.5 
Federal Forms themed keywords, which was exten¬ 
sively profiled in August, 2009? 

• [2]Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords > Serves Sea re ware 

• [3JU.S Federal Forms Blackhat SEO Themed 
Scareware Campaign Expanding 

• [4]Dissecting the Ongoing U.S Federal Forms 
Themed Blackhat SEO Campaign 

• [5]Koobface-Friendly Riccom LTD - AS29550 - 
(Finally) Taken Offline - multiple connections 

The cybercriminals behind it, never really stopped feeding 
new domains, including compromised ones, naturally 

diversifying the set of topics in order to serve scareware. 
Now that enough data is gathered, naturally exposing 
connections within the cybercrime ecosystem which would 
be communicated using the " perfect timing, perfect 
channel" philosophy, it's time to dissect the online 
campaign, expose the entire portfolio of domains involved, 
and, of course, take it down. 

What particularly interesting about this gang, is their dear 
understanding of QA (quality assurance) for the sake of 



increase OPSEC (operational security). 

Just like the previous campaigns, each individual domain 
involved 

in the campaign is registered using a separate email, in the 
majority of cases it's an automatically registered one. 
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With or without the QA, there's no escape from the 
monetization vector - in this case, and like many other - 
sea re ware. 

Domains used in the blackhat SEO campaign, none of these 
are currently flagged as harmful: 

Hp5p8h.co.cc - Email: mijkzh@gmail.com 

lus51n.co.cc - Email: mqxd2r2@gmail.com 

aifmydpuhv.eo.ee - Email: kent.attonis9140@yahoo.com 

amquijycpntb.co.ee - Email: volf.aittalal388@yahoo.com 

aqejhilmvb.eo.ee - Email: 
amandeep. terrisse8102@yahoo. com 

arnepqjya.co.ee - Email: vkpnzxn@gmail.com 

bekqjcra.co.ee - Email: yaala.benardos7911@yahoo.com 

benyd.eo.ee - Email: Iexyb610@gmail.com 

bestdesision.eo.ee - Email: an9020@bk.ru 

bipilyqomyusvuhy.eo.ee - Email: 
eeclllw3xqul 9tr9wb@gmail. com 



bjalumericz.co.cc - Email: 
diamond. aittaia4367@yahoo. com 

chammaope.co.cc - Email: wefergss@ukr.net 

coebfjqmkhsn.co.cc - Email: 
kent.attonis9140@yahoo. com 

comp-s.co.cc - Email: stasl4423321@maii.ru 

eynuqacjrtiz.co.cc - Email: 
ketina. tomsic2552@yahoo. com 

getmoney4me.co.cc - Email: finaiizerl2@mail.ru 

goumucnypuxuhyikzi.co.ee - Email: 
ekx7roq8p5hrd61 tah@gmail. com 

hiokirygohxinugohu.eo.ee - Email: 
q88zh 7dwshibteg05l@gmail. com 

hryjhuklo.eo.ee - Email: fgyuhedgdrfghhio@ymail.com 

ibdumycp.co.ee - Email: madeiyn.ajail243@yahoo.com 

ifohviwihuuxitqoii.co.ee - Email: 
bsowez9uspl u8cjyxp@gmail. com 

ifyfgybyuxisoffu.eo.ee - Email: 
5nrg2bgm2og0cloxpf@gmail. com 

ihquyrvutyridyuwyj.eo.ee - Email: 
whl p9c5f0jwlvn5jlq@gmail. com 

ijojinhuxifykygysu.eo.ee - Email: 

Iq 7s26llpq2sxbcyd9@gmail. com 

imdjrsfybnav.eo.ee - Email: sarig.ajaye7737@yahoo.com 



incom-sale.co.cc - Email: wisha700 _5@yahoo.com 

inoltoumydonulijuk.co.ee - Email: 
e6pgu8mamts6fco5il<@gmail. com 

iroqimcuohubizgooh.co.ee - Email: 
sku0cthz7ttgzwaqzw@gmail. com 

iwanti.eo.ee - Email: justtobebeauty@gmail.com 

iyqvogx.eo.ee - Email: do.co.lo.k.oh.o.ngo.v.o@gmail.com 

jepabhto.eo.ee - Email: festas.mciiseyl646@yahoo.com 

kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com 

kiboinikixuvquliro.eo.ee - Email: 
5k2j7bnpxzgkoyibb0@gmail. com 

krghiqyiht.eo.ee - Email: ouhegtlx@yahoo.com 

kyogpylymypusulojo.co.ee - Email: 
rrykuqs44ilgf2xd6q@gmail. com 

itcsiO.co.ee - Email: v9xodcm@gmail.com 

omsuimuhysjoujiqip.eo.ee - Email: 
nattyxbfp vcaivauf6@gmail. com 

opimuzxiyrxigoiwur.eo.ee - Email: 
ebiy9hwt817zs5m0wa@gmail.com 

ostozuorypofitjuti.eo.ee - Email: 
2rdo8uwhl4y5mqckkh@gmail. com 
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pqusrzycd.co.cc - Email: adalricus.aijala4749@yahoo.com 

ptvibnrjeayh.co.ee - Email: 
miiiani. mccomrick3922@yahoo. com 

pubaxj.eo.ee - Email: runuk8976@gmail.com 

pucrsnihoqy.co.ee - Email: 
dal Ha. babusek8958@yahoo. com 

qbhomskuine.eo.ee - Email: 
keona. canose6839@yahoo. com 

qcumoyh.co.ee - Email: 
bethiah. mcglasky5891 @yahoo. com 

qyczejdlita.co.ee - Email: 
a begail. woitkoski3075@yahoo. com 

ridcamybv.co.ee - Email: 

laurentius. diamandoglou5401 @yahoo. com 

rithubmolnda.eo.ee - Email: 
adalynn.aiololo3070@yahoo. com 

riyvroiqfoydcilifo.co.ee - Email: 
irjghmpq7w9Wah6rz@gmail.com 

rnoqzydjuia.eo.ee - Email: ieuan.calcutt9416@yahoo.com 

rpdkjuaft.eo.ee - Email: worley.biernackal945@yahoo.com 

rybidlzck.co.ee - Email: ander.airwyk9339@yahoo.com 

ryliydulivuvdojo.co.ee - Email: 
b5657927wcdn48k3u2@gmail.com 



rywutydymoxyodygyt.co.ee - Email: 
e8fzpd2yzy4 w8hf7t4@gmail. com 
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sdemfjotuc.co.ee - Email: 
annemarie. bichan3685@yahoo. com 

search-portal.co.ee - Email: akhmadarroyan@gmaii.com 

siycugufryyrkoylky.co.ee - Email: 
v5o71 m4qiy5is0zcs3@gmail. com 

sounluolvuoxyqixky.eo.ee - Email: 
ay2643zdi8kywwu444@gmail. com 

sprqucoatz.co.ee - Email: 
vindhya.perilean5722@yahoo. com 

ucywmuziboytylwi.co.ee - Email: 
m45267tiipj7xk9n 71 @gmaii. com 

unotufukujygugusto.eo.ee - Email: 
qe2m9slabdvw02gl p3@gmaii. com 

upykhogupiybuwojyz.eo.ee - Email: 

7ea 7iuibkzmfp0grso@gmaii. com 

usbokuycryocyjykqi.co.ee - Email: 

5fnuzbof36ugl 9ly7f@gmail. com 

vobyumfoodzygubuyv.eo.ee - Email: 
mjkexe0d9gaqkzihlo@gmail. com 

xepepele969.co.cc - Email: bemumoro6654@gmaii.com 

xodovumuycguhyujip.co.ee - Email: 
zeqa 6hr6kltwpt6eis@gmail. com 



yfwiiwoqwipihovo.co.ee - Email: 
87koy5ljr5j4oe9dcm@gmail. com 

ygitysbocysokuujok.co.ee - Email: 
qa0gvqsa8t3dr5u3yr@gmaii. com 

ykraivec.co.ee - Email: wergr@ukr.net 

ynywyvtioxiloghoin.eo.ee - Email: 
g955emcus8z0dbfebs@gmail. com 

yourbestchose.co.ee - Email: daan900@bk.ru 

yzirukwoilokocpohi.co.ee - Email: 
scqnbtps908moi8rgx@gmail. com 
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The .co.cc domains portfolio responds to the following IPs, 
parked on them are also related malicious domains: 

69.163.236.70 

78.159.114.244 

82.146.50.101 

82.146.54.111 

82.146.50.156 

82.146.54.116 

82.146.54.118 


82.146.54.119 


82.146.54.122 


82.146.54.129 

82.146.50.183 
82.146.54.143 

82.146.50.184 
82.146.50.188 
82.146.54.150 
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82.146.50.193 

82.146.50.194 
82.146.50.213 
82.146.54.177 
82.146.51.237 
82.146.53.244 
82.146.54.62 
82.146.54.69 
82.146.54.84 

84.16.236.31 

84.16.236.32 


84.16.229.42 



89.149.202.106 


89.149.226.127 

89.149.201.224 
89.149.255.174 

89.149.255.20 

89.149.238.225 

89.149.255.21 
89.149.200.47 
89.149.237.83 

92.63.105.179 
92.63.105.191 
92.63.98.239 

94.76.205.176 

94.76.205.177 

94.76.205.178 

94.76.205.180 

94.76.205.182 

94.76.205.183 

94.76.205.184 


174.121.196.227 



174.120.128.62 


188.120.231.249 

205.234.222.169 

212.95.56.102 

212.95.56.104 

212.95.56.89 

212.95.56.92 

212.95.56.93 

212.95.56.95 

212.95.56.96 
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Compromised sites part of the blackhat SEO campaign: 

kleertjesenmooi. nl 
knapadvies. nl 
kruidendreef60. nl 
kruijspunt.nl 
ktf-texel.nl 
lali.nl 

laplanchette.nl 


Ienzfilm.nl 


leuveld.nl 

liana-makeup, com 

I id a van velzensportmassage. nl 

lief4 kids, com 

logamklusmaster. nl 

lookingblueeye.nl 

luccie-007.nl 

lucmeubelbouw.nl 

lukasart.nl 

maakkennismetkennis.nl 
magisoft.be 
magnetenspecialist. nl 
mahu-services. nl 
maismoe.nl 
makaroni. info 
malena-team. nl 
maliebaanutrecht.nl 

Once the end user clicks on a link found within Google's 
index, a tiny Js checks the referrers (compromised 



_site.nl/directory/randomcontent.js) and the redirection 
takes place. For instance: 

- www3.donrart58-td.co.cc/ ?uid=213 &pid=3 
&ttl=21f4e73673b - 93.190.141.41 - Email: 
mail work. abc@gmaii. com 

- www2.uberguardzz6.com - 94.228.220.114 - Email: 
gkook@checkjemaii. nl 

- wwwl.favoritav31-pd.co.cc -188.124.5.66 - Email: 
mail work. abc@gmaii. com 

- www2.avcleaner44-pd.co.cc - 93.190.139.214 - Email: 
mail work. abc@gmaii. com 

Where do we know [6]the same campaigner (?uid=213 
&pid=3 &ttl=21f4e73673b) from? 

From [7] related 

campaigns. 
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Parked on 93.190.141.41, donrart58-td.co.cc, A549981 
WorldStream are also: 

www3.justsoftl 1-td. co. cc 

www3. donrart56-td. co. cc 

wwwl.newav31-pr.co.cc 

www3. goldvox-51 td.xorg.pl 


www3. goldvox-61 td.xorg.pl 

www3. goldvox-53td.xorg.pl 

www3. goldvox-55td.xorg.pl 

www3.goldvox-57td.xorg.pl 

www3. goldvox-59td.xorg.pl 

wwwl.bestdefender-58p.xorg.pl 

www4.miymiy3.com - 93.190.141.41 - Email: 
gkook@checkjemail. nl 

www3.ruboidmon-60td.com - 93.190.141.41 - Email: 
gkook@checkjemail. nl 
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Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 
VITAL TEKNOLOJl are also: 

www2. a vcleaner31 -pd. co. cc 

www2. a vcleaner35-pd. co. cc 

www3. a vprotector51-td.xorg.pl 

www3. a vprotector53-td.xorg.pl 

www3. a vprotector55-td.xorg.pl 

www3. a vprotectorS 7-td.xorg.pl 

www3.omgsaveit4.com - 74.118.194.76 - Email: 
gkook@checkjemaU. nl 



useguard.com - 95.169.186.25 - Email: 
gkook@checkjemail. n! 

updatel.useguard.com - 95.169.186.25 - Email: 
gkook@checkjemail. ni 

www4.miymiy2.net - Email: gkook@checkjemail.nl 
Parked on 95.169.186.25, A531103, KEYWEB-A5 are also: 

www3.justsoftl O-td. co. cc 
www4. free warezl O-td. co. cc 
www3.justsoftl 1-td. co. cc 
www3.justsoftl 2-td. co. cc 
www3. a vforyou23-td. co. cc 
www4. s win termz. cz. cc 
www4. trustzonel 6-td.xorg.pl 
www4. trustzonel 7-td. xorg.pl 
www4. trustzonel 9-td.xorg.pl 
www3. coantys-41td.xorg.pl 
www3. vointuas-81td.xorg.pl 
www3. coantys-42td.xorg.pl 
www3. coantys-46td.xorg.pl 
www4. miymiy3. com 
useguard.com 
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Detection rate: 

- packupdate 107 _213.exe - [8]TROJ_FRAUD.SMAF; 
Mal/FakeAV-AX - Result: 28/40 (70 %) 

Phones back to: 

updatel.useguard.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

update2.guardinuse.net - 78.159.108.171 - Email: 
gkook@checkjemaii. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

secure2.protectzone.net - 91.207.192.24 - Email: 
gkook@checkjemaU. nl 

report.goodguardz.com - 93.186.124.94 - Email: 
gkook@checkjemaU. nl 

74.82.216.3/ncr - [9]interesting HOSTS file modification 

01 - Hosts: 74.125.45.100 4-open-davinci.com 

01 - Hosts: 74.125.45.100 securitysoftwarepayments.com 

01 - Hosts: 74.125.45.100 privatesecuredpayments.com 

01 - Hosts: 74.125.45.100 
secure.privatesecuredpayments.com 

01 - Hosts: 74.125.45.100 getantivirusplusnow.com 


01 - Hosts: 74.125.45.100 secure-plus-payments.com 

01 - Hosts: 74.125.45.100 
http://www. getantivirusplusnow. com 

01 - Hosts: 74.125.45.100 http://www.secure-plus- 
payments. com 

01 - Hosts: 74.125.45.100 http://www.getavplusnow.com 

01 - Hosts: 74.125.45.100safebrowsing-cache.google.com 

01 - Hosts: 74.125.45.100 urs.microsoft.com 

01 - Hosts: 74.125.45.100 
h ttp://www. securesoftwarebill. com 
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01 - Hosts: 74.125.45.100secure.paysecuresystem.com 

01 - Hosts: 74.125.45.100 paysoftbillsolution.com 

01 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com 

01 - Hosts: 74.82.216.3 http://www.google.com 

01 - Hosts: 74.82.216.3 google.com 

01 - Hosts: 74.82.216.3 google.com.au 

01 - Hosts: 74.82.216.3 http://www.google.com.au 

01 - Hosts: 74.82.216.3 google.be 

01 - Hosts: 74.82.216.3 http://www.google.be 

01 - Hosts: 74.82.216.3 google.com.br 



01 - Hosts: 74.82.216.3 http://www.google.com.br 

01 - Hosts: 74.82.216.3 google, ca 

01 - Hosts: 74.82.216.3 http://www.google.ca 

01 - Hosts: 74.82.216.3 google, ch 

01 - Hosts: 74.82.216.3 http://www.google.ch 

01 - Hosts: 74.82.216.3 google.de 

01 - Hosts: 74.82.216.3 http://www.google.de 

01 - Hosts: 74.82.216.3 google.dk 

01 - Hosts: 74.82.216.3 http://www.google.dk 

01 - Hosts: 74.82.216.3 google.fr 

01 - Hosts: 74.82.216.3 http://www.google.fr 

01 - Hosts: 74.82.216.3 google.ie 

01 - Hosts: 74.82.216.3 http://www.google.ie 

01 - Hosts: 74.82.216.3 google.it 

01 - Hosts: 74.82.216.3 http://www.google.it 

01 - Hosts: 74.82.216.3 google.co.jp 

01 - Hosts: 74.82.216.3 http://www.google.co.jp 

01 - Hosts: 74.82.216.3 google.nl 

01 - Hosts: 74.82.216.3 http://www.google.nl 

01 - Hosts: 74.82.216.3 google.no 



01 - Hosts: 74.82.216.3 http://www.google.no 

01 - Hosts: 74.82.216.3 google.co.nz 

01 - Hosts: 74.82.216.3 http://www. google, co. nz 

01 - Hosts: 74.82.216.3 google.pl 

01 - Hosts: 74.82.216.3 http://www.google.pl 

01 - Hosts: 74.82.216.3 google.se 

01 - Hosts: 74.82.216.3 http://www.google.se 

01 - Hosts: 74.82.216.3 google.co.uk 

01 - Hosts: 74.82.216.3 http://www. google, co. uk 

01 - Hosts: 74.82.216.3 google.co.za 

01 - Hosts: 74.82.216.3 http://www.google.co.za 

01 - Hosts: 74.82.216.3 http://www.google-analytics.com 

01 - Hosts: 74.82.216.3 http://www.bing.com 

01 - Hosts: 74.82.216.3 search.yahoo.com 

01 - Hosts: 74.82.216.3 http://www.search.yahoo.com 

01 - Hosts: 74.82.216.3 uk.search.yahoo.com 

01 - Hosts: 74.82.216.3 ca.search.yahoo.com 

01 - Hosts: 74.82.216.3 de.search.yahoo.com 

01 - Hosts: 74.82.216.3 fr.search.yahoo.com 

01 - Hosts: 74.82.216.3 au.search.yahoo.com 
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What's so interesting about it anyway? 

Exact same modification was seen in "[ lOJKoobface 
Botnet's Scare- 

ware Business Model - Part Two ", in regard to the 
Google IP 74.125.45.100 . 

Take down actions are already taking place, updated will be 
posted as soon as new developments emerge. 

Related research on blackhat SEO campaigns: 

[11] The ultimate guide to scareware protection 

[12] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[13] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[14] A Peek Inside the Managed Blackhat SEO Ecosystem 

[15] Dissecting a Swine Flu Black SEO Campaign 

[16] Massive Blackhat SEO Campaign Serving Scareware 

[17] From Ukrainian Blackhat SEO Gang With Love 

[18] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[19] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[20] From Ukraine with Bogus Twitter, Linked In and Seri bd 
Accounts 



[21 JFake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 

1 . 
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5. http.V/ddanchev.bio as pot.com/2009/12/koobface-friendl v- 
riccom-ltd-as29550. html 

6. http.V/ddanchev.bio as oot. com/2010/05/torrentreactornet- 
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9. http://forum, malekal. com/roaue-securitv-master-ra D Dort- 
hi iack-t2614 7.html 


10. http://ddanchev. blp as ppt. cpm/2009/11/kppbface- 
botnets-scare ware-business, html 

11. http://www.zdnet.cpm/blpg/securitv/the-ultimate-auide- 
to-scare ware-prptectian/4297 

12. http.V/ddanchev. blp as ppt. cam/2010/02/diverse-pprtfplio- 
of-scare wareblackhat.html 

13. http.V/ddanchev. blp as ppt. cam/2009/11/massive- 
scareware-servina-blackhat-sep.html 

14. http.V/ddanchev. blp as ppt. cpm/2009/06/peek-inside- 
manaaed-biackhat-seo.html 

15. http.V/ddanchev. blp as ppt. cpm/2009/05/dissectina-swine- 
fiu-black-sep-campaian.html 

16. http://ddanchev. blp as ppt. cpm/2009/04/massive- 
blackhat-sep-campaian-servina.html 

17. http.V/ddanchev. blp as ppt. cpm/2009/06/frpm-ukrainian- 
blackhat-sep-aana-with.html 

18. http.V/ddanchev. blp as ppt. cpm/2009/06/frpm-ukrainian- 
blackhat-sep-aana-with 09.html 

19. http.V/ddanchev. blp as ppt. cpm/2009/06/frpm-ukraine- 
with-scare ware-serving, html 

20. http.V/ddanchev. blp as ppt. cam/2009/07/fram-ukraine- 
with-bpgus-twitter.html 

21. http.V/ddanchev.blp as ppt.cpm/2009/06/fake-web- 
hpstin a- Drovider-front-end-to.html 
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Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign (2010-06-08 21:49) 

Researchers from eSoft are reporting on [1]135,000 Fake 
YouTube pages currently serving scareware, in 

between using multiple monetization/traffic optimization 
tactics for the hijacked traffic. 

Based on the campaign's structure, it's pretty clear that the 
[2]template-ization of malware serving sites ([3]Part 
Two) is not dead. Let's dissect the campaign, it's structure, 
the monetization/traffic optimization tactics used, list ail the 
domains+URLs involved, and establish multiple connections 
(in the face of AS6851, BKCNET "SiA" iZZi) to recent 
malware campaigns - cybercriminals are often customers of 
the same cybercrime-friendly provider. 
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The campaign is relying on a typical mix of compromised 
and purely malicious sites, but is using not just an identical 
template, but identical campaign structure, which remains 
pretty static for the time being. Upon visiting one of the 
sites and meeting the referrer requirement - Google works 
fine - the hardcoded preload.php loads, which is always 
pointing to the same IP, using a randomly generated code, 
which changes overtime - 91.188.60.126/?q=jzhaf - 





AS6851, BKCNET "SIA" IZZI 


inetnum: 91.188.60.0 - 91.188.60.255 
netname: ATECH-SAGADE 
descr: Sagade Ltd. 
descr: Latvia, Rezekne, Darzu 21 
descr: +371 20034981 

remarks: abuse-mailbox: piotrek89@gmail.com 
country: LV 

admin-c: TMCD111-RIPE 
tech-c: TMCD111-RIPE 
status: ASSIGNED PA 
mnt-by: AS6851-MNT 
changed: taner@bkc.lv 20100423 
source: RIPE 

role: TMCD Admin Contacts 
address: leriku 67a, Riga, LV-1084 
org: 0RG-TMDA1-RIPE 
e-mail: bkc@bkc.lv 


admin-c: AS1606-RIPE 




admin-c: TP422-RIPE 


tech-c: RF2443-RIPE 
tech-c: IR106-RIPE 
nic-hdl: TMCD111-RIPE 
changed: taner@bkc.lv 20081023 
source: RIPE 


Moreover, the second traffic optimization strategy takes 
place by loading two different subdomains from 

byethost4.com, where another redirection takes place, this 
time loading the bogus mybookface.net - 209.51.195.115 

- Email: hostorgadmin@googlemail.com 
Sample campaign structure: 

- compromised site, com 

- compromised _site.com/preload.php 

- 91.188.60.126/?q=jzhaf 

- popal.byethost4.com/mlk.php?sub=2 
&r=google. com 

- trash.byethostl4.com/tick.php?sub=l 
&r=google. com 

- cnbutterfiy.com/contact.php7uid=2034 - 74.81.93.227 




- simulshop.com/contact.php?uid=2034 - 

88.198.177.74 

- www3.smartbestavlO.co.cc - 74.118.194.78 
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Domains involved in the campaign: 

action-force, net 
anytimeopen. com 
atomizer.net 
auto, ideazzz. ru 
a vmarket. com. ua 
baby-car.ru 
babystart.eu 
badlhby.com 
bestseller4you.at 
butikk. losnaspeiet. no 
clubshirts. info 
companions411. biz 
egeoptik.com 


e-life. com. mxl 


eshop. mr-servis. cz 

evage.biz 

even thorizon. biz 

fliq.de 

freestyie-shop. ch 
gameartisans. org 
gawex.com.pi 
gct.ro 

geraeusch welten.de 
ignition lb. info 
imalaya.eu 
indovic.net 
irpen. biz 

jasoncorrick. co. uk 
lojavirtual. versameta.pt 
machineinterface.net 
nitmail.com 
olek.co.uk 
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opco.co.ir 

pa home finance, net 

pcmall.ro 

prozoomhosting.net 
rcchina. com. cn 
re co verinstyle. net 
relogio-de-ponto.com.pt 
rhodiola. com. mx 
shop, ullihome. de 
shopzone.ir 
sink-o-mania. com 
sklep.autorud.pl 
sklepl. vinylove.pl 
snews.com.tw 
soposhin vitations. com 
stand rite, com 
teofio werbulbs, ro 
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triominos.ru 


webmas.ca 



wesellmac. com 


wireandthewood. com 
1 classfilter. be 
24shopping. nl 
9mama.pl 
apwireless.ca 
baza met. com.mx 
bead, shop-in-hk. com 
bicigrino. info 
bridezion.de 
buenapetito.net 
calicompras. com 
candjconsulting. us 
carpcompany. ni 
casacristorey. com. mx 
cheekybrats.com.au 
chiri-junior. nl 
corporate-pc. com 
deesis.com.pl 


derise.ee 



digitalelectronicsolutions.biz 
djlstop.com 
firsaturunlerim. com 
gentian.no 
guihua.com.hk 
hydromasaze.com 
iranagrishop. com 
issanni.net 

• [4] Complete list of the actual URLs involved in the 
campaign 

; [5] Paste bin 

jasoncorrick. co. uk 
klim uszko. net 
krasevka.si 

kundalinibooks. com.au 
kuub.com 
lanpower.se 
ieathershop. be 
ludf.net 


marinestores. biz 



microdermals. com 


mingfai.info 
minitar. com. tw 
msproductions. be 
m urgiain ta vola. i t 
mvchorus.org 
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nettohoffnung.de 

paketic.com 

parisa.lt 

pentruacasa. com 
promotechmexico. com. mx 
pursuitsptl. com 
quadroufo. com 
quecumbar. co. uk 
rotas.lt 

sammlereck. info 
sensicacciaepesca. com 
skintwo.biz 
sklep.af.com.pl 



sklep. kafti. com 
sklep. mago. com.pl 
skleplotniczy. pi 
skriptorium.at 
smscom.nl 
spine.com.br 
szemuvegkeret. com 
teldata warehouse, com 
tiouw.nl 

upto wn trellis, co. nz 

viasapia.com. br 

vita-bhv.nl 

widlak-market. com 

wscll2.net 

xfour.es 

yeti.com.pl 

Detection for the scareware, and the manual install binary: 

- install.exe - [6]Trojan.FakeAiert.CC5; 

FraudTool. Win32. SecurityTool (v) - Result: 


16/40 (40 %) - MD5: 



3562be54671al 326eeef8bcfc85bd2a 0 

- packupdatel07 2034.exe - [7]Packed. Win32.Krap.an; 
TrojWare. Win32. Trojan. Fakealert.4193280 - Result: 10/41 

(24.4 %) - MD5: 991bba541el872191ec5eb88c7delf30 

Upon execution the sample phones back to: 

update2.protect-helper.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

updatel.free-guard.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

- install.48728.exe - [8]Trojan.FakeAV; 
TrojanDownloader:Win32/Renos.KX - Result: 26/41 (63.42 %) 

- MD5: 15281 c3f3facl ccdaf43e2b26d32a887 

Upon execution the sample phones back to: 

movieartsworld.com - 216.240.146.119 - Email: 
elaynecroft@ymail. com 

firstnationarts.com - 66.96.219.38 ( redskeltonarts.com, 
southard_cheryl@yahoo.com) - Email: 

harold 

_ ward@ymail. com 

sportfishingarts.com - 66.199.229.230 
(greenbeearts.com, heiserdenise@ymail.com) - Email: 

roderickno- 


vak@rocketmail. com 



bestgreatarts.com - 64.191.44.73 (freesurrealarts.com, 

ghuertas@rocketmail.com) - Email: jeffreyespey@ymail.com 
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spacevisionarts.com - 69.10.35.253 
(picturegraffitoarts.com, ganthony46@rocketmail.com) - 
Email: mosleyja-son@rocketmail. com 

smallspacearts.com - 64.20.35.3 (dvdvideoarts.com, 

ganthony46@rocketmail.com) - Email: 
mosieyja- 

son@rocketmaU. com 

Based on cross-checking across different data sets, 
91.188.60.126 - A56851, BKCNET "SIA" IZZl is also known to 
have been used by at least 4 other members of the affiliate 
network. Naturally, their "signature" can be seen across 
multiple ASs as well. 

Same scareware affiliate program is seen on the following 
IPs, using a different set of affiliate partners: 

194.8.250.154/news.php?land=20 &affid=12400 - 

AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; 
godaccs@gmail. com 

194.8.250.155,/news.php?land=20 &affid=12400 
194.8.250.157/news.php?iand=20 &affid=42500 
194.8.250.158,/news.php?land=20 &affid=42500 

91.188.60.118/news.php?land=20 &affid=50900 - 

AS6851, Sagade Ltd.; Emails: piotrek89@gmail.com; 



91.188.60.124/news.php?land=20 &affid=12800 
91.188.60.126/news.php?land=20 &affid=15600 
91.188.60.146/news.php?land=20 &affid=20102 
91.188.60.147/news.php?land=20 &affid=20102 
91.188.60.147/news.php?land=20 &affid=20102 

91.213.157.165/news.php?land=20 &affid=50900 - 

AS 13618, PE "Sattelecom"; Emails: tt@sattelecom.biz 

77.78.239.71/news.php?iand=20 &affid=12400 - 

AS42560, MAXIMUS-NET-SERVICES; Emails: 
godaccs@gmaii. com; bosko@giobainet. ba 

77.78.239.76/news.php?land=20 &affid=12400 

77.78.239.77/news.php?land=20 &affid=15603 

As for AS6851, BKCNET "SiA" iZZi, the same AS is also seen 
in the following campaigns, find below an excerpt from a 
previous post, emphasizing on the Koobface gang 
connection, in the sense that they're both customers of the 
same cybecrime-friendiy ISP 

• [9]Spamvertised iTunes Gift Certificates and CV 
Themed Malware Campaigns 

• [lOJGoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware 

• [llJDissecting the Mass DreamHost Sites 
Compromise 

What's so special about [12JAS6851 , BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 

uro- 



dinam.net, which is also hosted within A56851, currently 
responding to 91.188.59.10. More details on 

urodinam.net: 

• [13]Koobface Botnet's Scareware Business Model 

• [14]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently active 
Izabslwvn538n4i5tcjl.com - Email: 
michaeitycoon@gmaii.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 
Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 
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For the time being, the following domains, IPs are ail active 
within AS6851, BKCNET "SiA" iZZi: 

Izabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: 
michaeltycoon@gmail. com 

hotxxxtubevideo.com -91.188.59.74 

ruexpl.ru - Email: krahil@mail.ru 

hotxtube.in - 91.188.59.74 - Email: iordjok@gmaii.com 

get-money-now.net - 91.188.59.211 - Email: 
noxim@maidsf. ru 


easy-ns-server.org - 91.188.60.3 - Email: 
russet11985@hotmail. com 

fast-scanerr-online.org - 91.188.60.3 - Email: 
roberson@hotmail. com 

my-antivirusplus.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmail. com 

myprotectonline.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmail. com 

sys-protect-online.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmail. com 

av-scaner-oniinemachine.com - 91.188.60.3 - Email: 
gersha tvO 7@gmail. com 

domen-zaibisya.com - 91.188.59.211 - Email: 
security2guard(g)gmail. com 

directupdate.info - 91.188.60.10 - Email: 
MichaelBCarlson@gmail. com 

91.188.59.50 

91.188.60.3 

91.188.59.112 
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Name servers of notice: 


nsl.iillOoilO.com - 91.188.59.70 


ns2.iill0oil0.com 91.188.59.71 


Domains using their services: 
allforilli.com - Email: iordjok@gmaii.com 
allforyouplus.net - Email: leshapopovi@gmail.com 
alltubeforfree.com - Email: lordjok@gmail.com 
aiixtubevids.net - Email: lordjok@gmail.com 
downloadfree now. in - Email: iordjok@gmail.com 
enterilllisec.in - Email: leshapopovi@gmail.com 
freeanalsextubemovies.com - Email: iordjok@gmail.com 
freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hotfilesfordo wnload. com 
hotxtube.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 
porn-tube-video.com - Email: welolseeees@gmail.com 
skachivay. com 

visiocariill.net - Email: leshapopovi@gmail.com 
xhuilillii.com - Email: lordjok@gmail.com 



yourbestway.cn - Email: haucheng@yahoo.com 

youvideoxxx.com - Email: jonnytrade@gmail.com 

Take down actions are in place, meanwhile, consider going 
through the "[15]Ultimate Guide to Scareware 

Protection". 
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This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 

1. htto.V/threatcenter. bio a s oot, com/2010/06/135000-fake- 
voutube- oa aes-deliverina. him l 

2. htto://ddanchev.blo as oot. com/2008/07/temoiate-ization- 
of-malware-servina.html 

3. htto.V/ddanchev.blo as oot.com/2009/02/temoiate-ization- 
of-malware-servina.html 

4. htto.V/shorttext. com/0ez98in oilb 

5. htto://oastebin.com/IWP5LXeU 

6 . 

htto://www. virustotai. com/anaiisis/dc3fdl 8068c00c6dc61 c8 

101265d792c9c60c52221417cfb48bed76d76a6c384-12760 

07284 

7. 

htto://www. virustotai. com/analisis/41d523e6aa58202192de 

74f6daeb54 73ce44145d932aefl a52f8al 65fba4b46d-l2760 
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8 . 

htto://www. virustotal. com/analisis/922922cel 9cf7b82e396f 

ccaccdcd34e5c974d8c52489b049fb398627e67fa32-12760 

07394 

9. htto://ddanchev.blo as oot.com/2010/05/soamvertised- 
itun es-aift-certifica tes. h tml 

10. htto.V/ddanchev. blo as oot. com/2010/04/aodaddvs-mass- 
wordoress-bloas. himl 

11. htto.V/ddanche i/. blo as oot. com/2010/05/dissectina-mass- 
dreamhost-sites.html 

12. httos ://zeu sir acker, abuse, ch/monitor. oho ? 
host=91.188.59.50 

13. htto.V/ddanchev. blo as oot. com/2009/09/koobface- 
botnets-scareware-business.html 

14. httoV/ddanchev. blo as oot. com/2009/11/koobface- 
botnets-scare ware-business, him l 

15. htto.V/www.zdnet.com/bloa/securitv/the-ultimate-auide- 
to-scare ware-orotection/4297 

16. htto.V/ddanchev. blo as oot. com/ 

17. htto://twitter, com/danchodanche i/ 
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Facebook Photo Album Themed Malware Campaign , 
Mass SQL Injection Attacks Courtesy of AS42560 

(2010-06-15 16:05) 

A spamvertised through Facebook personal messages, 
Photo Album themed campaign, with the domain IP 
respond¬ 
ing to ZeuS C &Cs, combined with an indirect connection 
between this campaign and the "[11100,000+ Scareware 
Serving Fake YouTube Pages Campaign", followed by a 
domain portfolio used in a currently active mass SQL 
injection attack serving CVE-2007-5659 exploits, parked 
within the same AS as the Facebook's campaign itself 

What else is missing? The details of course. 

DM spamvertised URL: online-photo-albums.org - 

77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: 

pro- 

tect@ privacy, com. ua 

Detection rate: album.exe - [2]Win32.DownloaderReno; 
Backdoor.Win32.Kbot.anj- Result: 12/41 (29.27 %) 

MD5: d24aa2c364d4b86f75a09362c952a838 

SHA1: 3973c547b64dl66ae807eec494c373efd53ac04c 

Creates l.exe; 2.exe and the self-destructing 3.exe. 
Detection rates: 

- l.exe - [3]Result: 0/41 (0.00 %) 

MD5: fbd0a495d3409123d0e90a9a 734cbbcl 
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SHA1: Ce527267f50b433c622e5da0db5515a4d2e4ae9c 

- 2.exe - [4]Win32.DownloaderReno; Sus/UnkPacker - 
Result: 10/41 (24.39 %) 

MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d 

SHA1: 39b280d0d2ec505a94415f7a9468a547fee51 c66 

with 3.exe phoning back to the following domain, also 
responding to the original campaign's IP 77.78.239.4 

spmfb3309. com /ab/setup.php?act=filters 
6eid=BWKJD0NWLt3pn2Vh6YlhhBe3 &ver=2 

inetnum: 77.78.239.0 - 77.78.240.255 

netname: MAXIMUS-NET-SERVICES 

remarks: ### in case of abuse please contact: 

godaccs@gmail.com # # # 

descr: Maximus hosting services 

country: MD 

admin-c: JB1004 

tech-c: JB1004 

status: ASSIGNED PA 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20100528 



source: RIPE 


person: Jerkovic Bosko 

address: Josipa Vancasa 10 

address: 71000 Sarajevo 

address: Bosnia and Herzegovina 

phone: +387 33 221093 

e-mail: bosko@globainet.ba 

nic-hdl: JB1004 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20070309 

source: RIPE 

Surprise, surprise, where do we know that 
godaccs@gmail.com abuse email from? From the 
previously pro¬ 
filed "[5]Dissecting the 100,000+ Scareware Serving 
Fake YouTube Pages Campaign In particular: 

-AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; 

godaccs@gmail. com 

- AS42560, MAXIMUS-NET-SERVICES; Emails: 

godaccs@gmail. com 

Responding to 77.78.239.4 (online-photo-albums.org) 

are also the following domains: 



hyporesist.com - Email: Kyle.MoodyAi@yahoo.com - Used 

to register ever52592g.com; miror-counter.org; mn- 
frekjivr.com 

newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - 

[6]ZeuS crime ware C &C 

online-photo-albums.org - Email: 
protect@privacy. com. ua 

search-static.org - Email: Kyle.MoodyAI@yahoo.com 

spmfb2299.com - Email: laycxpqguk@whoisservices.cn 

spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn 

vostokgear.org - Email: afgjvubuym@whoisservices.cn 

Where's the mass SQL injection attack connection? Within 
A542560, responding to 77.78.239.56 are also the 

following domains, part of the campaign: 
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google-server09.info - Email: kit00066@gmail.com 
google-serverlO.info - Email: kit00066@gmail.com 
google-serverll.info - Email: kit00066@gmail.com 
google-serverl2.info - Email: kit00066@gmail.com 
google-serverl4.info - Email: kit00066@gmail.com 
google-server29.info - Email: kit00066@gmail.com 


google-server31.info - Email: kit00066@gmail.com 
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmaii.com 
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com 
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com 
top-teen-porn.info - Email: kit00066@gmail.com 
Sample mass injection URLs: 
google-server09.info/ urchin.js 
google-serverl0.info/ urchin.js 
google-serverl 1.info/ urchin.js 
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google-serverl2.info/ urchin.js 
google-serverl4.info/ urchin.js 
google-server29.info/ urchin.js 
google-server31.info/ urchin.js 
jhuiuhxfgxhlfkjhjth.info/ urchin.js 
jhuiuhxfgxhtfkjhjth.info/ urchin.js 
jhuiuhxfgxhlfkjhjth.info/ urchin.js 
Detection rate: 

- urchin.js - [ 7]Trojan.JS.Redirector.ca (v); JS:Downloader-LP 

- Result: 4/41 (9.76 %) 



MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5 

SHA1: 66d6edef711516201 f20fce676175adl6777el62 

Sample exploitation structure from the mass SQL injection 
campaign: 

- google-server31.info /urchin.js 

- Seanner-Album.com/7affid=382 &subid=landing - 

91.212.127.19, AS49087, Telos-Solutions-AS - Email: 
systemman _mk@gmail.com 

- websitecoolgo.com/cgi-bin 7158 - 91.188.59.220 - 
AS6851, BKCNET "SIA" IZZI - Email: 

marcomar- 

cian@hotmailbox. com 

- websitecoolgo.com /cgi-bin/random content leading 
to CVE-2007-5659 
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Parked on 91.212.127.19 (Scanner-Album.com), 

AS49087, Telos-Solutions-AS: 

automaticsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

bigsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

bigsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 


biacksecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

edscorpor.com - Email: ieonschmura@hotmaiibox.com 
edsctrum.com - Email: admin@edsfiles.com 
edsfiles.com - Email: leonschmura@hotmailbox.com 
edsfilles.com - Email: leonschmura@hotmailbox.com 
edsletter.com - Email: leonschmura@hotmailbox.com 
edslgored.com - Email: leonschmura@hotmailbox.com 
edsnewter.com - Email: leonschmura@hotmailbox.com 
edsogos.com - Email: leonschmura@hotmailbox.com 
edsspectr.com - Email: leonschmura@hotmailbox.com 
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edstoox.com - Email: leonschmura@hotmailbox.com 

findsecurityscan.com - Email: 
robertwatkins@hotmaiibox. com 

memory-scanner.com - Email: systemman 
_mk@gmail. com 

onefindup.org - Email: JamesHying@xhotmail.net 

scanner-album.com - Email: systemman _mk@gmail.com 

scanner-definition.com - Email: rutkowski 
_m3@gmail.com 


scanner-hardware.com - Email: systemman 
_mk@gmail. com 

scanner-master.com - Email: systemman _mk@gmail.com 

scanner-models.com - Email: systemman 
_mk@gmail. com 

scanner-profile.com - Email: systemman _mk@gmail.com 

scanner-programming.com - Email: systemman 
_mk@gmail. com 

scanner-suppiies.com - Email: rutkowski_m3@gmail.com 
scanner-tips.com - Email: systemman _mk@gmail.com 
searchdubles.org - Email: MerleMeisin@xhotmail.net 
searchmartiup.org - Email: MerleMeisin@xhotmail.net 
searchprasup.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchtanup.org - Email: MerleMeisin@xhotmail.net 
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Responding to 91.188.59.220 and 91.188.59.221 
(websitecooigo.com) within AS6851, BKCNET "51A" IZZI 
are also the following domains participation in different 
campaigns: 


internetgotours.com - Email: 
marcomarcian@hotmailbox. com 

mediaboomgo.com - Email: 
paulalameda@hotmailbox. com 

mediagotech.com - Email: 
marcomarcian@hotmailbox. com 

mediaracinggo.com - Email: 
paulalameda@hotmailbox. com 

netgozero.com - Email: marcomarcian@hotmailbox.com 

nethealthcarego.com - Email: 
marcomarcian@hotmailbox. com 

networkget.com - Email: marcomarcian@hotmailbox.com 

networksportsgo.com - Email: 
marcomarcian@hotmailbox. com 

patricknetgo.com - Email: paulalameda@hotmailbox.com 

webaliveget.com - Email: paulalameda@hotmailbox.com 

webcoolgo.com - Email: paulalameda@hotmailbox.com 

webgettraffic.com - Email: paulalameda@hotmailbox.com 

webgetwisdom.com - Email: 
marcomarcian@hotmailbox. com 

webgetwise.com - Email: marcomarcian@hotmailbox.com 
webgoengine.com - Email: paulalameda@hotmailbox.com 



webgosolutions.com - Email: 
paulalameda@hotmailbox. com 

webmagicgo.com - Email: paulalameda@hotmailbox.com 

websitecoolgo.com - Email: 
marcomarcian@hotmailbox. com 

websiteget.com - Email: marcomarcian@hotmailbox.com 

The rise of [8]custom abuse emails, conveniently offered 
to cybercrime-friendly dedicated customers? 

It's worth pointing out that godaccs@gmaii.com a.k.a 
Complife, Ltd is conveniently responsible for- A542560, BA- 
GL0BALNET-A5; A543134, Donstroy Ltd; and A542560, 
MAXIMUS-NET-SERVICES, followed by 

piotrek89@gmail.com responsible for [9JAS6851, 
BKCNET "SiA" IZZl (used by the Koobface gang, also seen 
in the following campaigns 1413 

[lOJSpamvertised iTunes Gift Certificates and CV 
Themed Malware Campaigns; [HJGoDaddy's Mass 
WordPress Blogs Compromise Serving Scareware). 

This post has been reproduced from [12]Dancho 
Danchev's blog. Follow him [13]on Twitter. 

1. htto.V/ddanchev.blo as oot.com/2010/06/dissectin a- 
1 OOOOO-scareware-servina. html 

2 . 

htto://www. virustotal. com/analisis/2ace318127ee5b49b44df 

31561928a 75022f258a53e521 ab4c4abl2791 ec66b3-12766 
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765fl 49 cd 1 dc26f3f85ac6163dbde07578602febb 70-12766 
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4. 

htto://www. virustotal. com/analisis/4e6bc0e52d3ef88e0db 7f 

10d0cb6219caea 7b313 b 7fe50282d43dc6d6cd61d70-12 766 

05058 

5. htto://ddanchev.blo as oot.com/2010/06/dissectin a- 
100000-scareware-servina.html 

6. https://zeustrackerabuse, ch/monitor. oho? 
i paddress=77.78.239,4 

7. 

http://www. virustotal. com/analisis/ff387ec39afa 68aabfad3f3 

fd622ceaca4f58e837f5a 6fbd568fcefc5cfdde32~12766 

07425 

8. http://twitter, com/danchodanchev/status/6549021186 

9. htto://ddanchev.blo as oot.com/2010/06/dissectin a- 
1 OOOOQ-scareware-servina.html 

10. htto.V/ddanchev. blo as oot. com/2010/05/soam vertised- 
i tun es-aift-certifica tes. h tm / 
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wordoress-bloas. html 


































12. htto.V/ddanchev. blo as oot. com/ 

13. htto://twitter, com/danchodanche 1 / 
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Dissecting the Expioits/Scareware Serving Twitter 
Spam Campaign (2010-06-16 14:32) 

[ 1 JYesterday's expioits-serving campaign spreading 
across Twitter, using automatically registered accounts 
"pinging" random Twitter users with links to the campaign, 
is worth profiting due to its state of maliciousness - if the 
end user is exploitable, exploits are served ultimately 
leading to sea reware, and if he isn't, the cybercriminals 
behind it 

[2]attempt to monetize through the same network 
used by the [3]Koobface gang on Mac OS X hosts - 
zml.com. 

Let's dissect the campaign, and once again emphasize on 
the fact just how small the cybercrime ecosystem 

could be, given enough historical data is gathered on who's 
who, who's what, and what's when. 

Sample exploitation structure: 

- qtoday.info /ttds/doit.php?ckey=12 &schema=l 
&f=wF - 94.228.209.73 (AS47869), 75.125.222.242 
(AS21844) 


- qtoday.info /ttds/jump.php 





- fqsmydkvsffz.com /tre/vena.htm I/RAN DOM - 

69.174.242.21 (A513768); 75.125.222.242 (A521844) 
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The sea re ware installed interacts with AS18866: 

69.50.197.241 /up/el.dat 

69.50.197.241 7up7e2.dat 

69.50.197.241 7data7upd6.dat 

69.50.197.241 7data7upd7.dat 

69.50.197.241 /data/updl.dat 

69.50.197.241 7data7upd2.dat 
Responding to 69.50.197.241 (AS18866) are: 

radarixo.com - Email: moldavimo@safe-mail.net - 

[4]profiled here 

cyberduck.ru - Email: samm _87@email.com - [5]profiled 
here 

livejasment.com - Email: moldavimo@safe-mail.net 

iinksandz.com - Email: moldavimo@safe-mail.net - 

[6]profiled here 

Detection rates: 

- el.dat -11 on 17 (65 %) - [7JTrojan.MulDropl.21645; 
Win32/Lukicsel. P 

MD5 hash: 2566clla9cd2226b59d226e76bae9f64 



SHA1 hash: 

6alfd405f547ed33f7cfe3abad4f423a33c0e281 


- e2.dat - 8 on 17 (47 %) - [8]W32/Witkinat.A.gen!Eldorado; 
Win32/Witkinat. R 

MD5 hash: 8daaa96ba059e6bld5108c314fl60175 

SHA1 hash: 

b43d26bb2583d9057cb343cl 0d5db 79c846ed895 

- updl.dat -11 on 17 (65 %) - [9]TR/Lukicsel.EB; 

Trojan. Win32.Delf.aaxw A 

MD5 hash: 7b2534536cdfl68f50d63845bl3af8ba 

SHA1 hash: 

306f5199c3f91 cd28c634914a64 78bcbc5c4e9c0 

- upd2.dat - 11 on 17 (65 %) - [ 10]TR/Lukicsel. EB; 

Trojan. Win32.Delf.aaxw A 

MD5 hash: 323ala2429467b3891cc20a26b82f851 

SHA1 hash: 

ae3fe6b442521 d95631703a b530213e897e4f8ea 

- upd6.dat - 9 on 17 (53 %) - [ll]Win32/Lukicsel.P; Trojan- 
Dropper. Win32. Delf.frm 

MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a 

SHA1 hash: 

366db3c2cd64a57587376b416c42960adlf28ea3 

- upd7.dat -11 on 17 (65 %) - [12]SHeur3.AAEI; Trojan- 
Dropper. Win32.Delf.frq 



MD5 hash: Ia582b50d82fb57bec036el962e5da2e 

SHA1 hash: 

15 a9540927f64dec23e625el 40dfde 7ce3d23df7 
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The rest of the exploits-serving domains portfolio parked at 

69.174.242.21 (A513768); 75.125.222.242 (A521844): 
danenskgela.com - Email: strohmeiera@yahoo.com 

aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 

xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com 

directinmixem.com - Email: strohmeiera@yahoo.com 

carsmazda6.in - Email: valeriyku@gmaii.com 

danenskgela.com - Email: strohmeiera@yahoo.com 

tfyxffnacsc.com - Email: edb.ri871@gmail.com 

sfkemlymeywk.com - Email: 
admin@overseedomainmanagement.com 

aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 

aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com 

aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com 

dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com 

dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com 

mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com 


piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com 
pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com 
qjigaicqoxk.com - Email: 7uwy7ietei@yahoo.com 
directinmixem.com - Email: strohmeiera@yahoo.com 
etyet.com - Email: zubakova2@rambier.ru 
grantgarant.com - Email: naumann _heikens@yahoo.it 
carsmazda6.in - Email: valeriyku@gmaii.com 
civichonda.in - Email: valeriyku@gmail.com 
drotaifiow.in - Email: johns2249@googlemail.com 
carsinfinity.in - Email: valeriyku@gmail.com 
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3m70.cn - Email: abuseemaiidhcp@gmail.com - 

[13]money mule registrations, [14]rubbing shoulders 
with [15]Koobface 

m ueypflglvlx. com 

mbhcnjyyykpr. com 

ozkifomzaaqd. com 

dqcnefigaefg. com 

vtmxg wnpj vib. com 

jcfkprwasnaj. com 


qg wyinsxlox. com 
tsusi wpmzuqz. com 
fqsmydkvsffz. com 
qcell.info 

q-fe ver. info vmspl. in 
keirun.in 
isco bar. in 
I oncer, in 

jcfkprwasnaj. com 

The complete list of automatically registered bogus Twitter 
accounts, now suspended: 

twitter. com/AbbottMarleneCY 

twitter. com/AnsonJamesJs 

twitter. com/BandaPaul51 

twitter. com/BarkieyTracy52 

twitter. com/BoserJames74 

twitter. com/BradleySheilaTt 

twitter. com/Bra vo Martin UT 

twitter. com/Bro wn TammyaM 

twitter. com/BurlingameStek2 



twitter. com/BurtonPauliC 
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twitter. com/Callo wayEileemb 
twitter. com/CardilloLilli8l 
twitter. com/CareyJocelynXY 
twitter. com/Carpen terJameCl 
twitter. com/CarterErnieBj 
twitter. com/CarterNanCM 
twitter.com/CharltonRoberl Y 
twitter. com/ClausenJillRC 
twitter. com/CochranLindajB 
twitter. com/CruzSha wnjl 
twitter. com/DanielClintonqO 
twitter. com/DeanL uigi 7B 
twitter. com/Deleon ChristiDb 
twitter. com/DickensRitaS6 
twitter. com/Ellison CortezCC 
twitter. com/FernandezRobekc 
twitter. com/FieldsRichardrx 


twitter. com/FryePhilipAx 
twitter. com/CarrisonMiitoP9 
twitter. com/CiifordSarahqo 
twitter. com/CilleyJennifeS T 
twitter. com/CiordanoHelenxy 
twitter. com/Gish CharlesCy 
twitter. com/GreenDonaidbt 
twitter. com/Griffin Ray5 v 
twitter. com/GuzmanEloise5u 
twitter. com/HakalaSte ve9e 
twitter. com/HammonsLeonarW3 
twitter. com/HarmonRaymondMH 
twitter. com/HartHeatherSO 
twitter. com/HaynesChariesxo 
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twitter. com/Hendrickson Ki6F 
twitter. com/JonesAndre wUG 
twitter. com/JonesNickoias Yx 
twitter.com/KendallNorma WS 
twitter. com/KroegerAngeliuO 



twitter. com/LeeJerroldRk 
twitter. com/LevittKe vin9e 
twitter. com/LewisMaryL8 
twitter. com/LimonMargaretgn 
twitter. com/MarvelThomasaO 
twitter. com/McbeeMeiissabu 
twitter. com/MHierFrances we 
twitter. com/MitchellDeborvi 
twitter. com/MooreJoanut 
twitter. com/MorrisMary2n 
twitter. com/MorrisonJackOs 
twitter. com/NealReginaldbH 
twitter. com/NickellGloriad8 
twitter. com/PhelpsRichardKL 
twitter. com/PittsTommyyy 
twitter. com/PlummerA thena wn 
twitter. com/Po weiiMarie94 
twitter. com/PradoDonaidG8 
twitter. com/ReaieBernicegR 
twitter. com/Reese VeronicaFx 



twitter. com/Rie vesShirteyYv 
twitter. com/RobinsonAprilrl 
twitter. com/RobinsonLisa8e 
twitter. com/RoblesRicardo Wh 
twitter. com/RubioLanaj9 
twitter. com/S a vardAnthonyo U 
twitter. com/Sayers WendellVc 
twitter. com/SchmidtLynnk7 
twitter. com/ShankleKathleor 
twitter. com/S ie versDarleelD 
twitter. com/SmithCeorgieMq 
twitter. com/SteinAshieyuQ 
twitter. com/StoughKelseyqt 
twitter. com/TrejoLisaOO 
twitter. com/TullosHo ward Co 
twitter. com/WeberSte ven6r 
twitter. com/WhiteMichelle vj 
twitter. com/WilkinsonPaulTd 
twitter. com/WiliettErnestCR 
twitter. com/WilliamsMichaBl 



twitter. com/WoodsThelmayO 
twitter. com/WynnRichard4m 
twitter. com/YoungMeianieSZ 
twitter. com/CooleyFrancescC 
twitter. com/SchneiderKim6h 
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twitter. com/DobsonElsiequ 
twitter. com/PeelLouise9q 
twitter. com/White YolandaOP 
twitter. com/FrostAngelo Y2 
twitter. com/MorrisMary2n 
twitter. com/MiiierMaryxl 

PDF exploits, binaries streaming from the domain 
portfolio at 69.174.242.21 (AS13768); 75.125.222.242 

(AS21844): 

MD5: 5d42bb346601ba456b52edd3c3e59dlb 
MD5: bal9c971 edefffb22d44e43a91 a 7d9a9 
MD5: e 7a354f58bfe21 c815ddb8fa f00bd08c 
MD5: 4al3b96dd056c0075c553588f0211 c44 


MD5: 29e 71 e291 a31 ea8fl cddbf7d96f7de86 



MD5: 29e71 e291 a31 ea8fl cddbf7d96f7de86 
MD5: 3bb6bdaf8d4e2822da86ef9a614a04ea 
MD5: f41470c7b9ad2260625d2a62b6dbl58f 
MD5: 3987c92c20c3fl 7b5892f84069d816dl 
MD5: 87a95ec041 b2432727336f0cdeeel23a 
MD5: 5d497el841 f5627alb77dbc336dal594 
MD5: 5balaafcef9ea7516flae7082424e83d 
MD5: 5268f85902c7064b393bbbb3dbc094f9 
SHA1: 79526ca9579420cb46cl5fe94b282868cl e7fbbd 
SHA1: f70f6a9aa0aa092511894f7c89defc64637504a 1 
SHA1: 5175b38dfca3dc7dd6ad56bed34a543fl4702bea 
SHA1: 2f2c88e0b950cd91adle49be73e885b07f401f68 
SHA1: b92dl268d06c8ba427beefclee7b064873694a47 
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64el0 
SHA1: 7ecb2679cd23e6c6973c57092blcae46f60db97e 
SHA1: 66ed858043d6d022823bl6956f416e3080e618al 
SHA1: Ofddl de26d5902d4a21b053a212a21 c2760d8aee 
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64el0 
SHA1 : 3a7daa60389f463df795b78fl 6030dcc6fcl fF23 


SHA1: 3054b48186f5e0981c41f200b3492caa0941f889 



SHA1: 0e49c7656becled43efbl9187541 d20c3ecb293b 

This isn't the first time Twitter's been abused for malicious 
purposes, and is definitely not the last. Quick community 
response and take down actions hit them where it hurts 
most - the monetization vector. 

Related assessments of Twitter malware campaigns: 

[16] Twitter Malware Campaign Wants to Bank With You 

[17] Dissecting Koobface Worm's Twitter Campaign 

[18] From Ukraine with Sea re ware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[19] From Ukraine with Bogus Twitter, Linked In and Seri bd 
Accounts 

[20] Twitter Worm Mikeyy Keywords FIija eked to Serve 
Sea re ware 

[21] Dissecting September's Twitter Sea reware Campaign 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 

1. htto://sunbeltbloa. blo as oot. com/201 0/06/Ddf-exoloit- 
s namrun-on-twitter.html 
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2. htto.Y/www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452? D a=2&taa=mantle 


skin; content 


















3. htto.V/ddanchev.blo as oot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.html 


4. htto.V/ddanchev.blo as oot.com/2009/1 1/keeoina-mone v- 
mule-recruiters-on - short. h tml 

5. htto://ddanchev.blo as oot. com/2010/05/dissectina-mass- 
d ream host-sites, html 

6 . 

htto.V/ddanche i/. blo as oot. com/2010/03/aaztransitstro v aaztr 
anzitstro v-from.htmi 

7 . 

htto://scanner. no virusthanks. ora/analvsis/2566cl 1 a9cd2226 
b59d226e76bae9f64/ZTEuZGF0/ 

8 . 

htto://scanner. no virusthanks. ora/analvsis/8daaa96ba059e6 
bl d5108c314fl 60175/ZTIuZGFO/ 

9. 

htto://scanner. no virusthanks. ora/analvsis/7b2534536cdfl 68 
f50d63845bl 3af8ba/dXBkM55kYXO =7 

10 . 

h tto://scanner. no virusthanks. ora/analvsis/323a 1 a2429467b 
3891 cc20a26b82f851/dXBkMi5kYXO =7 

11 . 

htto://scanner. no virusthanks. ora/analvsis/d05d89bdadd8a2 
3c2ceb0b016d49550a/dXBkNi5kYXO =7 

12 . 

htto://scanner. no virusthanks. ora/analvsis/l a582b50d82fb5 7 
bec036el 962e5da2e/dXBkNv5kYXO =7 












































13. htto.V/ddanchev. blo as oot. com/2009/10/standardizin a- 
monev-mule-recruitment.html 

14. htto.V/ddanchev. blo as oot. com/2009/11/keeoina-mone v- 
m ule - recruiters - on - short. h tml 

15. htto.V/ddanchev. blo as oot. com/2009/11/koobface-botnet- 
starts-servina-client.html 

16. http.V/ddanchev. blo as oot. com/2008/08/twitter-malware- 
camoaia n-wants-to-bank.htm l 

17. http.V/ddanche i/. blo as oot. com/2009/07/dissectin a- 
koobface - worms-twitter html 

18. http.V/ddanchev. blo as oot. com/2009/06/from-ukraine- 
wsth-scare ware-serving, html 

19. http.V/ddanchev. blo as oot. com/2009/07/from-ukraine- 
with-boaus-twitter.html 

20. htto://ddanchev. blo as oot. com/2009/04/twitter-worm- 
mike v v-keywords-hijacked, html 

21. htto.V/ddanchev. blo as oot. com/2009/09/dissectin a- 
se ptembers-twitter-scare ware, html 

22. htto.V/ddanchev. blo as oot. com/ 

23. htto://twitter, com/danchodanchev 
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Sampling 419 Advance Fee Scams Activity (2010-06- 
17 16:25) 









































Lottery Winning Notifications, Western Union payment 
notifications, dead relatives, advance fee schemes imper¬ 
sonating law enforcement agencies - their arsenal of 
themes is endless, their IPs, however, aren't, taking into 
consideration the fact that the majority of 419 scams are 
not sent using botnets, but manually, and in a targeted 
fashion. 

In fact, some of their spamming techniques ([1J419 

scammers using Dilbert.com; [2J419 scammers using 
NYTimes.com 'email this feature') are so primitive 
compared to the financial impact, a successful advance fee 
has in the long term, that their KISS (Keep it Simple Stupid) 
mentality reflects the current situation within the 
cybercrime ecosystem - they all KISS it to a certain extend - 
"[3]Report: Malicious PDF files comprised 80 percent 
of all exploits for 2009"[4]Reports: SQL injection 
attacks and malware led to most data breaches". 

For the purpose of an experiment, and related reasons. 
Here's a raw snapshot of some 419-ers that just kept 

popping up, over and over again. 

Persistent 419 advance fee scammers (over the last 
7 days), the originating IPs, and the "reply to" email: 

- a _chenchen@yahoo.cn - 218.17.239.18 

- abdulkadera _maroofomar@hotmail.com - 41.138.180.86 

- alfredmorris.m@btinternet.com - 211.101.13.230 

- atmdept_serv001@yahoo.cn - 193.252.22.152 

- austinalan@wanadoo.co.uk - 193.252.22.190 



- avocat_doukoure@yahoo.fr - 78.229.212.4 

- barpaulaffum@live.com - 41.210.31.214 

- barr.rolandkenl@gmail.com - 221.235.112.210 

- barristerhenryivanlooconsult02@yahoo.co.jp - 

60.48.104.88 

- barteddywiH01@googlemaii.com - 200.13.249.119 

- cocacoiaofficiaiprizel9@yahoo.com.hk - 194.79.134.37 

- courfed@aim.com - 79.123.210.10 
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- crichardchambers@rediff.com - 212.242.42.50 

- curiehenria@yahoo.com, barr09amorisql@gmaii.com - 

123.176.96.137 

- dr.austenobigwe008@gmail.com - 41.211.228.112 

- drabejohn2009@aol.com - 217.72.192.242 

- duncan.macdonald@9.cn, barr_duncan 
_macdonald@yahoo.co.uk - 86.43.60.104 

- ecowascounsellordept@gmail.com - 115.242.97.173 

- efccantigraft.nigeria077@gmail.com - 24.166.97.40 

- Email.jmwilliams66@gmail.com, 
misteredwin22@gmail.com - 89.144.96.52 

- fed ex. courerservicesl @hotmail. com, 
richardjohson@live.com - 87.194.255.145 



- fedpeters07@aim.com - 81.31.115.2 

- henryanthonyloanfirm@gmail.com - 200.40.197.69, 
41.219.152.78 

- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 

91.198.227.49 

- janefugar2.u@hotmail.com - 82.196.5.120 

- jimovia8787@gmail.com - 216.222.201.201 

- John _chan3030@yahoo.com.hk - 200.171.215.2 

- Ioannationwide2010@windowslive.com - 222.124.26.155 

- mailesq.charlesstanley@gmail.com - 163.20.186.1 

- maroofomar_abduikader@yahoo.com - 62.193.229.238 

- martha _ikobopayment@yahoo.com.hk - 41.138.172.81 

- microwin2010@hotmaii.co.uk - 200.105.120.151 

- ministerdeliveryofficer@yahoo.cn - 193.252.22.190 

- miss.kajat@googlemail.com - 67.15.16.31 

- missbiessing@sify.com - 196.28.250.53 

- mr.parady700@hotmail.com - 80.200.242.17 

- mrabdulhaleem@gmail.com - 66.11.225.183 

- MRANNOLD5MITH2010@gmail.com - 82.128.17.211 

- mrderekpaulatm405@gmail.com - 86.209.83.68 



- Mrperentochaplain@rocketmail. com; 
Mrperentochalion@gmail.com - 112.110.186.25 

- mrsabueke@cantv.net - 200.11.173.131 

- nicemel970@yahoo.com - 80.12.242.27 

- ntai Jerry7775@yahoo.com.hk - 125.141.17.158 

- ochuko_babal@hotmail.fr - 65.55.111.159 

- ochukobabal@gmail.com - 65.55.111.85 

- officerepiybackmaiii@yahoo.com - 82.128.17.211 

- organiotoint39i@yahoo.com.hk - 207.194.87.105 

- promoskllotto@rocketmail.com - 90.183.38.130 

- realexchanges@aim.com - 212.225.181.101 

- rev.sistermaryx31@gmail.com - 41.211.228.112 

- robinkelleyl967@hotmail.com - 85.214.37.73 

- rpatmcard@hotmail.com - 195.83.9.36 

-s.leel@yahoo.com, westernunionoffice99@gmail.com - 

41.191.85.45 

- shopperconsultant@live.co.uk - 195.137.70.240 

- talkdelata3@gmail.com, mdelataecobank@gala.net - 

116.255.152.124 

- thefordfoundation.award0010@yahoo.co.uk - 

222.124.9.54 



- ubanigeria.nig65@gmail.com - 202.132.123.106 

- vex.pressd2009@gmaii.com - 66.48.81.131 

- waziriefccng@live.com - 193.252.22.191 

- worldbpr@9.cn - 41.204.224.19 

- www.cn_western_union@w.cn - 41.222.192.82 

- zakiawilol01@yahoo.co.uk - 202.132.123.106 
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- zongo.benl77@gmaii.com, mr hiiu60@msn.com - 

212.52.146.118 

- bog_officemail@yahoo.co.jp - 82.128.2.78 

- atmfinanceibc@web2mail.com - 41.218.237.202 

- mrjohnsmith70@hotmail.com - 213.171.218.33 

- junhuan9@yahoo.cn - 218.91.39.165 

Nothing hurts as much as a decent historical OSINT 
regarding the activities of any cybercriminal. Moreover, 

this historical OSINT not only contributes to a more efficient 
case building, but also, helps to establish some pretty 
interesting connections within the cybercrime ecosystem. 
As practice and experience has shown, this very same 

ecosystem is not necessarily as big as originally assumed. 

Consider going through the related fraudulent 
schemes/malicious campaigns currently taking advantage 
of 



FIFA's World Cup - [5]Protection tips for the upcoming 
FIFA World Cup themed cybercrime campaigns. 

This post has been reproduced from [6]Dancho 
Danchev's blog. Follow him [7Jon Twitter. 

1. htto://www.zdnet. com/bioa/securitv/419-scammers-usin a- 
dUbertcom/3809 

2. htto://www.zdnet. com/bioa/securitv/419-scammers-usin a- 
n vtimescom-email-this-feature/3491 

3. http://www.zdnet.com/bloa/securitv/report-maiicious-pdf- 
files-comDrised-80-Dercent-of-all-exDloits-for-20 

09/5473 

4. http://www.zdnet.com/bioa/securitv/reports-sal-iniection- 
attacks-and-malware-led-to-most-data-breaches/54 

21 

5. http://www.zdnet.com/bioa/securit v/ protection-tsos-for- 
the-uDComina-fifa-world-cuD-themed-cybercrime-cam p 

a i ans/6610 

6. htto.V/ddanchev.blo as oot. com/ 

7. http://twitter.com/danchodanchev 
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Money Mule Recruiters Trick Mules Into Installing 
Fake Transaction Certificates (2010-06-29 11:07) 

What is more flattering than Ukrainian blackhat 5E0 gangs 
using name as redirectors, including offensive messages, 
the Koobface gang redirecting Facebook's IP space to your 





































blog, or a plain simple danchodanchev admin panel within a 
Crime Pack kit? 

It's the money mule recruiters who modify the HOSTS file of 
gullible mules to redirect ddanchev.blogspot.com and 
bobbear.co.uk to 127.0.0.1. Now that's flattering, 
considering the fact that my public money mule ecosystem 
related research represents a tiny percentage of the real 
profiling/activities taking place behind the curtains. 

a 

Related coverage of money laundering/recruitment in 
the context of cybercrime: 

[lJKeeping Money Mule Recruiters on a Short Leash - Part 
Four 

[2] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[4] Money Mule Recruiters on Yahoo! 's Web Hosting 

[5] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 



[lOJInside a Money Laundering Group's Spamming 
Operations 

[HJMoney Mule Recruiters use ASProx's Fast Fluxing 
Services 

[12]Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [13]Dancho 
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Summarizing Zero Day's Posts for June (2010-07-05 
21:35) 

The following is a brief summary of all of my posts at 

[IJZDNet's Zero Day for June, 2010. You [2]can also go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personai RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [6]The security and privacy ramifications of AT&T's iLeak 






















• [7]The EFF releases new HTTPS Everywhere Fire fox 
extension 

• [8]Researchers find 12 zero day flaws, targeting 5 web 
malware exploitation kits 

01. [9]Malware Watch: Free Mac OS X screensavers bundled 
with spyware 

02. [lOJProtection tips for the upcoming FIFA World Cup 
themed cybercrime campaigns 

03. [HJMalware Watch: Twitter password reset emails, IRS- 
themed crimeware, malicious PDFs, and fake YouTube 1428 

pages 

04. [12]The security and privacy ramifications of AT&T's 
iLeak 

05. [13]Malware Watch: Adobe zero day attack, malicious 
FIFA-themed spam, exploit serving Virus Alerts 

06. [14]Malware Watch: Skype exploit, Skype-themed 
malicious spam campaigns detected 

07. [15]The EFF releases new HTTPS Everywhere Fire fox 
extension 

08. [16]Researchers find 12 zero day flaws, targeting 5 web 
malware exploitation kits 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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9. htto.V/www.zdnet.com/bloa/securitv/malware-watch-free- 
mac-os-x-screensa vers-bundied- with-s o vware/6560 

10. httD://www.zdnet.com/bloa/securit v/ orotection-tios-for- 
the-uocomina-fifa-world-cuoVhemed-c vb ere rim e - ca m o 

a i d ns/6610 

11. htto.V/www.zdnet. com/bioa/securitv/maiware-watch- 
twitter-password-reset-ama-ls- -s-themed-o meware-malc 

ious-Ddfs-and-fake-voutube- oa aes/6636 

12. httoV/www.zdnet.com/bloa/securitv/the-securitv-and- 
orivacv-ramifications-of-at-ts-ileak/6649 




































































13. http.V/www.zdnet. com/bloa/securitv/malware-watch- 
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14. http.V/www.zdnet. com/bloa/securitv/malware-watch- 
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cted/6716 

15. http://www.zdnet.com/bloa/securitv/the-eff-releases- 
new-httos-evervwhere-firefox-extension/6738 
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Cybercriminals SQL Inject Cybercrime-friendly 
Proxies Service (2010-07-13 23:00) 

Cybercrime ecosystem irony, at its best. Why the irony? 
Because the cybercrime-friendly proxies service T05 

explicitly states that its users cannot launch X55/5QL 
injection attacks through it. 

A relatively low profile cybercriminal has managed to 
exploit a remote SQL injection within a popular proxies 







































service, offering access to compromised hosts across the 
globe for any kind of malicious activities. Based on the 
video released, he was able to access everyone's password 
as MD5 hash, next to the emulating of the users of the 
service, using a trivial flaw in the on line, eg i script. 

Although his intentions, based on the note left in a 
readme.txt file featured in the video, was to allow others 
to use the paid service freely, the potential for undermining 
the OP5EC of cybercriminals using the service is 

enormous, as it not only logs their financial transactions, 
keeps records of their IPs, but most interestingly, allows the 
"manual feeding" of proxy lists (compromised and freely 
accessible hosts) within the database. 
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The service itself, has been in operation since 2004, 
operating under different brands, with prices starting from 
$20 to $90 for access to 150, and 1500 hosts on a monthly 
basis. Some interesting facts from a threat intell/social 
network analysis perspective, including screenshots ( on 
purposely blurred in order to prevent the ruining of 
important OSINT 

sources) of the service obtained from its help file. 

• The gang/hacking/script kiddies team operates different 
business operations online 

• They maintain a traffic purchasing program monetizing 
traffic through [lfcybercrime-friendly search engines 


• Whether they are lazy, or just don't care, 4 currently 
active adult web sites share the same infrastructure as the 
service itself 

• Although the original owners are Russian, they appear to 
be franchising since once of their brands is offering their 
services in Indonesian, including a banner for what looks 
like a Indonesian security conference. 

• One of the Indonesian franchisers is known to have been 
offering root accounts and shells at compromised 

servers for sale, back in 2007 
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For years, compromised malware hosts has been widely 
abused for anything, from direct spamming, to hosting 

spam/phishing and malware campaigns, but most 
importantly - to engineer cyber warfare tensions by directly 

forwarding the responsibility for the malicious actions of the 
cybercriminal/cyber spy to the host/network/country in 
question. 

Not only do these tactics undermine the currently 
implemented data retention regulations - how can you 


data retain something from a compromised ecosystem that 
keeps no logs - but also, they offer a safe heaven for the 
execution of each and every cybercriminal practice there is. 

Related posts: 

[2] Should a targeted country strike back at the cyber 
attackers? 

[3] Mai ware Infected Hosts as Stepping Stones 

[4] The Cost of Anonymizing a Cybercriminai's Internet 
Activities 

1434 

[5] The Cost of Anonymizing a Cybercriminai's Internet 
Activities - Part Two 
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Exploits, Malware , and Scareware Courtesy of 
AS6851, BKCNET, Sagade Ltd. (2010-07-14 19:54) 

Never trust an AS whose abuse-mailbox is using a Gmail 
account (piotrek89@gmail.com), and in particular one 
that you've come across to during several malware 
campaigns over the past couple of month. It's [1JAS6851, 

BKCNET 

"SIA" IZZI I'm referring to, also known as Sagade Ltd. 

Let's dissect the currently ongoing malicious activity at that 
Latvian based AS, expose the ex- 

ploit/malware/crimeware/sca re ware serving domain 
portfolios, sample some of the currently active binaries 

and emphasize on the hijacking of Google/Yahoo and Bing 
search engines, as well as take a brief retrospective of 
AS6851 's activities profiled over the past couple of months. 

What's so special about AS6851 anyway? It's the numerous 
times in which the AS popped-up in previously 

profiled campaigns (see related posts at the bottom of 

the post), next to a pretty interesting Koobface gang 
connection. [2] An excerpt from a previous post: 

" What's so special about [3JAS6851, BKCNET "SIA" IZZI 
anyway? It's the Koobface gang connection in the face of 

uro- 



dinam.net, which is also hosted within AS6851, currently 
responding to 91.188.59.10. More details on 

urodinam.net: 

• [4]Koobface Botnet's Scareware Business Model 

1436 

• [5]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently active 
Izabslwvn538n4i5tcjl.com - Email: 
michaeitycoon@gmaii.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 
Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com, was also profiled in the 

"[6]Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 11 

assessment. " 

Related data on AS6851, BKCNET/Sagade Ltd.: 

netname: ATECH-SAGADE 

descr: Sagade Ltd. 

descr: Latvia, Rezekne, Darzu 21 


descr: +371 20034981 



remarks: abuse-mailbox: piotrek89@gmail.com 

country: LV 

admin-c: JS1449-RIPE 

tech-c: JS1449-RIPE 

status: ASSIGNED PA 

mnt-by: AS6851-MNT 

source: RIPE # Filtered 

person: Juris Sahurovs 

remarks: Sagade Ltd. 

address: Latvia, Rezekne, Darzu 21 

phone: +371 20034981 

abuse-mailbox: piotrek89@gmail. com 

nic-hdl: JS1449-RIPE 

mnt-by: ATECH-MNT 

source: RIPE # Filtered 

AS6851 advertises 15 prefixes: 

*62.84.0.0/19 

62.84.22.0/23 

84.38.128.0/20 


85.234.160.0/19 



91.123.64.0/20 


91.188.32.0/19 

91.188.41.0/24 

91.188.44.0/23 

91.188.46.0/24 

91.188.48.0/23 

91.188.50.0/24 

91.188.52.0/23 

91.188.56.0/24 

109.110.0.0/19 

195.244.128.0/20 

Uplink courtesy of: 

AS6747, LATTE LE KO M Latte I ekom 
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A55518 ’ TELIALATVIJA Telia Latvija 51 A 

Currently active exploits/malware/scareware serving domain 
portfolios within A56851: 

Parked at/responding to 85.234.190.15 are: 

anrio.in - Email: Ometovgordey@mail.com 

brayx.in - Email: NikitasZoya@maii.com 



broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cogoo.in - Email: 5amatovNail@mail.com 
conyx.in - Email: NikitasZoya@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
foryx.in - Email: NikitasZoya@mail.com 
liuyx.in - Email: NikitasZoya@mail.com 
moosd.in - Email: Vasileva5vetlana@mail.com 
oserr.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
purnv.in - Email: BajenovOieg@maii.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
relsd.in - Email: Vasileva5vetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
sdali.in - Email: VasilevaSvetlana@mail.com 



seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FirulevAndrey@mail.com 
spkey.in - Email: FirulevAndrey@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 85.234.190.4 are: 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 
appsd.in - Email: lvanovEvgeny@mail.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@mail.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 


bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
1439 

butyx.in - Email: NikitasZoya@mail.com 
cirui.in - Email: RijovAlexandr@mail.com 
cogoo.in - Email: RijovAlexandr@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
cusnv.in - Email: 5imakovSergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
echo.in - Email: Ometovgordey@mail.com 
ectuo.in - Email: erofeevalexey77@gmail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@mail.com 



enguo.in - Email: erofeevalexey77@gmail.com 
eqrio.in - Email: Ometovgordey@mail.com 
fibnv.in - Email: 5imakov5ergey@maii.com 
glouo.in - Email: erofeevaiexey77@gmaii.com 
habsd.in - Email: LomaevaTatyana@maii.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
he key. in - Email: ZaharcevSergey@maii.com 
hygos.in - Email: Hohlunovanika@live.com 
imbos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: 5imakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
latuo.in - Email: erofeevalexey77@gmail.com 
Unuo.in - Email: erofeevalexey77@gmaii.com 
m a key. in - Email: ZaharcevSergey@mail.com 
oscog.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@live.com 
os mac. in - Email: skripnikkseniya@live.com 
os mot. in - Email: skripnikkseniya@live.com 
ospor.in - Email: skripnikkseniya@live.com 



ossce.in - Email: skripnikkseniya@iive.com 
ossio.in - Email: skripnikkseniya@live.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoleschukovaGalina@mail.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
re key. in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
scoos.in - Email: Nigmatovaanastasia@hotmaii.com 
sdaii.in - Email: VasilevaSvetlana@mail.com 
sdome.in - Email: OsvyanikovaDarya@mail.com 
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shkey.in - Email: FirulevAndrey@mail.com 
spkey.in - Email: FirulevAndrey@mail.com 
sydos.in - Email: Nigmatovaanastasia@hotmail.com 
thynv.in - Email: BajenovOleg@maii.com 
ugiyx.in - Email: UshakovAndrey@mail.com 



uirin.in - Email: UshakovAndrey@maii.com 
uisap.in - Email: UshakovAndrey@maii.com 
uitem.in - Email: lvanovEvgeny@mail.com 
uithi.in - Email: lvanovEvgeny@mail.com 
uityp.in - Email: lvanovEvgeny@mail.com 
uityr.in - Email: lvanovEvgeny@mail.com 
varyx.in - Email: GaevAlexandr@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
yokey.in - Email: FirulevAndrey@mail.com 
yxiac.in - Email: GaevAlexandr@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 91 . 188 . 60.225 are: 
abrie.in - Email: Bodunovanton@mail.com 
agros.in - Email: Fiohiunovanika@iive.com 
a I Idh. in - Email: bondyashovandrey@mail.com 
alodh.in - Email: radostovamariya@mail.com 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 


aoxtv.in - Email: Akuiov5ergey@maU.com 
appsd.in - Email: lvanovEvgeny@mail.com 
aquui.in - Email: RijovAlexandr@mail.com 
arrie.in - Email: Bodunovanton@mail.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
balsd.in - Email: lvanovEvgeny@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
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bikey.in - Email: ZaharcevSergey@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@mail.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 
bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cated.in - Email: PoleschukovaGalina@mail.com 
cedhw.in - Email: lopushkoamariya@mail.com 



chrie.in - Email: Bodunovanton@mail.com 
chrio.in - Email: Ometovgordey@mail.com 
cirui.in - Email: RijovAlexandr@mail.com 
clrio.in - Email: Ometovgordey@mail.com 
cogoo.in - Email: SamatovNail@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
corie.in - Email: Bodunovanton@mail.com 
curie.in - Email: Bodunovanton@mail.com 
cusnv.in - Email: SimakovSergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dennv.in - Email: SimakovSergey@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
eagoo.in - Email: SamatovNail@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ecrio.in - Email: Ometovgordey@maU.co 
ectuo.in - Email: erofeevalexey77@gmail.com 
edbal.in - Email: VasilevOleg@mail.com 
edban.in - Email: VasilevOleg@mail.com 



ederc.in - Email: Evenkolvan@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@maii.com 
enguo.in - Email: erofeevalexey77@gmail.com 
eprio.in - Email: Ometovgordey@mail.com 
eqrio.in - Email: Ometovgordey@mail.com 
esrie.in - Email: Bodunovanton@mail.com 
fa key. in - Email: ZaharcevSergey@mail.com 
fegoo.in - Email: SamatovNail@mail.com 
fibnv.in - Email: SimakovSergey@mail.com 
foryx.in - Email: NikitasZoya@mail.com 
franv.in - Email: SimakovSergey@mail.com 
fraos.in - Email: Hohlunovanika@live.com 
garie.in - Email: Bodunovanton@mail.com 
glouo.in - Email: erofeevalexey77@gmail.com 
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guinv.in - Email: SimakovSergey@mail.com 



habsd.in - Email: LomaevaTatyana@mail.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
he key. in - Email: ZaharcevSergey@mail.com 
humos.in - Email: Hohiunovanika@iive.com 
hygos.in - Email: Hohlunovanika@live.com 
hyrie.in - Email: Bodunovanton@mail.com 
imhos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: SimakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
jobos.in - Email: Hohlunovanika@live.com 
kykey.in - Email: ZaharcevSergey@mail.com 
latuo.in - Email: erofeevalexey77@gmail.com 
leunv.in - Email: SimakovSergey@mail.com 
linuo.in - Email: erofeevalexey77@gmail.com 
liuyx.in - Email: NikitasZoya@mail.com 
m a key. in - Email: ZaharcevSergey@mail.com 
moosd.in - Email: VasilevaSvetlana@mail.com 
naios.in - Email: Hohlunovanika@live.com 
nvenc.in - Email: BajenovOleg@mail.com 



oscog.in - Email: Nigmatovaanastasia@hotmail.com 
osenc.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@live.com 
os mac. in - Email: skripnikkseniya@live.com 
os mot. in - Email: skripnikkseniya@live.com 
ospor.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ossio.in - Email: skripnikkseniya@live.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoleschukovaGalina@mail.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
re key. in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
sated.in - Email: VasilevOleg@mail.com 



sated.in - Email: VasilevOleg@mail.com 
scoos.in - Email: Nigmatovaanastasia@hotmaii.com 
sdaii.in - Email: VasilevaSvetlana@mail.com 
sdall.in - Email: VasilevaSvetlana@mail.com 
sdayb.in - Email: OsvyanikovaDarya@mail.com 
sdaye.in - Email: OsvyanikovaDarya@mail.com 
sdayo.in - Email: OsvyanikovaDarya@mail.com 
sdene.in - Email: OsvyanikovaDarya@mail.com 
sdich.in - Email: OsvyanikovaDarya@mail.com 
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sdome.in - Email: OsvyanikovaDarya@mail.com 
seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FirulevAndrey@mail.com 
smoed.in - Email: VasilevOleg@mail.com 
soted.in - Email: VasilevOleg@mail.com 
spios.in - Email: Nigmatovaanastasia@hotmail.com 
spkey.in - Email: FirulevAndrey@mail.com 
stteop.in - Email: fibra _appl@yahoo.com 
sunyx.in - Email: GaevAlexandr@mail.com 
sydos.in - Email: Nigmatovaanastasia@hotmail.com 



teaed.in - Email: VasilevOleg@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
ugiyx.in - Email: GaevAlexandr@mail.com 
uinei.in - Email: UshakovAndrey@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
uisma.in - Email: lvanovEvgeny@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
u it hi. in - Email: lvanovEvgeny@mail.com 
uityp.in - Email: lvanovEvgeny@mail.com 
uityr.in - Email: lvanovEvgeny@mail.com 
varyx.in - Email: GaevAlexandr@mail.com 
veged.in - Email: VasilevOleg@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
whasd.in - Email: VasilevaSvetlana@mail.com 
wimed.in - Email: VasilevOleg@mail.com 
woonv.in - Email: BajenovOleg@mail.com 



yokey.in - Email: FirulevAndrey@mail.com 
yxiac.in - Email: GaevAlexandr@mail.com 
yxial.in - Email: GaevAlexandr@maii.com 
yxiam.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 91.188.60.3 are: 

Ocheckingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

10checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

20checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

30checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmaii. com 

40checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

50checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

60checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

70checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 


80checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmaii. com 

90checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmaii. com 



av-scaner-onlinemachine.com - Email: 
gershatv07@gma'U. com 

easy-ns-server.org - Email: russelll985@hotmail.com 
fast-scanerr-online.org - Email: roberson@hotmail.com 
fast-scanneronline.org - Email: roberson@hotmail.com 
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Insecure Internet activity. Threat of virus attack 


Du* 16 AHCUt hMfr*t your PC cm H#|r qm i4kM Mtfi wuttfk worms md Crojortt mOM your 

tWw V ity, ora ttat coo kod to pyspom ttowdcnn, frooios ov) oktfNi 

Also i*i too ir* Iroorooc odMty coo rona at (MOkf ytui pocsoool itfcrmtcorL 

To 9 #< M oSmctd root wo prococtori tor PC md WirnM octwfy, rr^tfrr MMrus Plus. 


Wr nc o— g od you to protect your PC bon ond « ontfeiix* ulc Wr n ut Uomhtg 

9 Ode here to 9*t ful adronced reakme protected ond contnue browing. 

9 Contnue to ths webste unprotected (not recommended), 


fastscanner-online.org - Email: roberson@hotmail.com 
fastscannerr-online.org - Email: roberson@hotmail.com 


myantivirsplus.org - Email: 
FranciscoPGeorge@hotmaii. com 


my-antivirspius.org - Email: 
FranciscoPGeorge@hotmaii. com 

my-antiviruspius.org - Email: 
FranciscoPGeorge@hotmail. com 

my-antivirus-pius.org - Email: 
FranciscoPGeorge@hotmaii. com 

myprotectonline.org - Email: 
FranciscoPGeorge@hotmail. com 

my-protectonline.org - Email: 
FranciscoPGeorge@hotmaii. com 

my-protect-oniine.org - Email: 
FranciscoPGeorge@hotmail. com 

sysprotectonline.org - Email: 
FranciscoPGeorge@hotmail. com 

sys-protectonline.org - Email: 
FranciscoPGeorge@hotmail. com 

sys-protect-online.org - Email: 
FranciscoPGeorge@hotmail. com 

Parked at/responding to 91.188.59.74 are: 

allforilli.com - Email: iordjok@gmaii.com 

alltubeforfree.com - Email: lordjok@gmail.com 

aiixtubevids.net - Email: lordjok@gmail.com 



downloadfreenow.in - Email: lordjok@gmail.com 
enterilUisec.in - Email: ieshapopovi@gmaii.com 
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Your Purchase i* lacked ty jTS 

Q Our 30 DoyMoney Ract fH 

*<■*■* Guarantee* ''UW 

U0 1 Secure & Encrypted 

I Ordemg • Even Safer 

F Than Over d»e Ptione. 

^ vour EmaJ Address and 
mty atrspnat IrdormeOpn are 
cxr.ee* and NEVER re»M. 

Li Antivirus Plus 

IrMtad 

(ActivaC 

nooamour.r $68.45 

ton lee $1.50 Total prtcr $69.95) 

Irtw ycf pmowt dried* 

(*eed «e»ran — Veer card end Veer cerd statement) 

IstfriwurdrtsnMtiM 


IMRiw: 


CXY 

SUtr. 

/V/fKMUl Code. 
Cewxiy. 

(mad: 



| Select Sum 3 

| Select please 3 


SdKtCirtrw |VtSA 3 

Card Number 


E sprat ton date: | Month *j |Ymt 


CVC2/CW* 


VbilJt 

CYU/CW,?? 
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Sign me gp ter a pvcftosecr Advanced Reg**tCieart«r Yeu edtebrtedcneeme charge* cm. *19 9S 

AAenced Rep*a» Cleaner S4*»a<e w»» te*t oc*» n team *er> v#anj» Ptu»' Bet» cregram* *ere speoaty 
dttd^M to iron togemer crtdmm^ od car md ptdofltwQ tfitm ocamong tests in ora# 
c«*at>e*aften tor re *aM * mteataMe prceeceon Hksano Bu*>g Aj.*r.:*<j Rep**. Cleaner to» H9 W row 
im 7?v Tha teaang speoaests n N M m edermaeen prctecften atwera recemmena to use mautru* Pius in 
team *•> Advanced R*p»*. Cleaned Puxnasrrtg A*ar<ed Rep%»> Clearer products iow are getonj die tap 
Mart) vm i our computer ot rv« c«irMJi 0r<» comptoa prctec»on ma nerp rou ts protect re toes of roa 
computer Scm urMranttd W*ig and mi* nlec*ng 



Ptocrss transection | 



freeanalsextubemovies.com - Email: lordjok@gmail.com 
freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hot4youxxx.in - Email: lordjok@gmail.com 









hotxtube.in - Email: lordjok@gmail.com 

hotxxxtube video, com 

iillOoilO.com 

ilio01ilil.com 

illinolill.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 
porn-tube-video.com - Email: welolseeees@gmail.com 
viewnowfast.com - Email: lordjok@gmail.com 
viewxxxfreegall.net - Email: leshapopovi@gmail.com 
viiistiforl. com 

xhuilillii.com - Email: lordjok@gmail.com 
youvideoxxx.com - Email: jonnytrade@gmaii.com 
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Parked at/responding to 85.234.190.16 are: 
appsd.in - Email: lvanovEvgeny@mail.com 
bikey.in - Email: lvanovEvgeny@mail.com 
fibnv.in - Email: Simakov5ergey@mail.com 
franv.in - Email: SimakovSergey@mail.com 
guinv.in - Email: SimakovSergey@mail.com 



he key. in - Email: ZaharcevSergey@mail.com 
intsd.in - Email: LomaevaTatyana@maii.com 
ionnv.in - Email: SimakovSergey@maii.com 
jamsd.in - Email: LomaevaTatyana@maii.com 
leunv.in - Email: SimakovSergey@mail.com 
nvenc.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
uinei.in - Email: GaleevDjamil@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
woonv.in - Email: BajenovOleg@mail.com 
yxiam.in - Email: GaevAlexandr@mail.com 
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Detection rates for the currently active malware samples, 
including the HOSTS file modifications on infected hosts, for 
the purposely of redirecting users to [7]cybercrime- 
friendly search engines, monetized through traffic 
trading affiliate programs. 

- [8] 78490.Jar - Result: 0/42 (0 %) 

File size: 209 bytes 

MD5 : 64al9d9b7f0e81c7a5f6d63853a3ed49 

SHA1 : 9f8f208c8cdb854cdc342d43a75a3d8672e87822 


- [9fad3.exe 





[10] - Result: 41/42 (97.62 %) 

File size: 2560 bytes 

MD5...: 9362a3aee38102dde68211 ccb63c3e07 
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7 

- [llja-fast.exe - Result: 36/42 (85.72 %) 

File size: 979968 bytes 

MD5...: 69f3949141073679b77aa4d34e41 a3e7 

SHA I..:e074de4 6e4 760eef522ab85 73 7790058cc3f2fad 

1450 

- [12Jdm.exe - Result: 37/42 (88.1 %) 

File size: 83968 bytes 

MD5...: b658d9b812454e99b2915ab2e9594b94 
SHA1..: 134bfb643ae2fl 61 c99dbl 4c448485e261 e96c91 

- [13Jiv.exe - Result: 8/42 (19.05 %) 

File size: 86016 bytes 

MD5...: f94ed2f9d7a672fe3ff8bf077289b2d5 

SHA1..: 2f78a296el267aelcf9ebd5cl8de5b8d241cl306 

- [14]]2 _t895. jar - Result: 0/42 (0 %) 

File size: 211 bytes 

MD5...: 4b34618a0499a99e9c98e03aa 79d53cf 



SHA1..: dl 09babf78ec48ba8d7798bee78409 7ed26757db 


- [15Jmovie.exe - Result: 40/42 (95.24 %) 

File size: 64866 bytes 

MD5...: 801 f9fa958192b6714a5a4c2e2f92f07 

SHA1..: 241bc9d7540d9d53ccl578e3d57c44be9931 e418 

- [16Jtst.exe - Result: 35/42 (83.34 %) 

File size: 356352 bytes 

MD5...: b0ed4701afl3fl 1089de850al273d24f 

SHA1..: 5e98000b60d0ca0b2adbd837feaf05f439f95c87 

- [17Jwsc.exe - Result: 37/42 (88.1 %) 

File size: 24576 bytes 

MD5...: 80427b 754bl 1 de653758dd5el ba3del c 

SHA1..: 554el331 fdc050bd603f6f3628285008a91 cba37 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 



89.149.210.109 www.google.it 

89.149.210.109 www.google.es 

89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.nl 

89.149.210.109 www.google.co.za 

89.149.210.109 www.google.be 

89.149.210.109 www.google.gr 

89.149.210.109 www.google.at 

89.149.210.109 www.google.se 

89.149.210.109 www.google.ch 

89.149.210.109 www.google.pt 
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89.149.210.109 www.google.dk 

89.149.210.109 www.google.fi 

89.149.210.109 www.google.ie 

89.149.210.109 www.google.no 

89.149.210.109 search.yahoo, com 



89.149.210.109 us.search.yahoo, com 
89.149.210.109 uk. search.yahoo, com 
- [18jrc.exe - Result: 41/42 (97.62 %) 

File size: 2560 bytes 

MD5...: 9362a3aee38102dde68211 ccb63c3e07 
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

89.149.249.196 www.google.com 

89.149.249.196 www.google.de 

89.149.249.196 www.google.fr 

89.149.249.196 www.google.co.uk 

89.149.249.196 www.google.com.br 

89.149.249.196 www.google.it 

89.149.249.196 www.google.es 

89.149.249.196 www.google.co.jp 

89.149.249.196 www.google.com.mx 

89.149.249.196 www.google.ca 

89.149.249.196 www.google.com.au 

89.149.249.196 www.google.nl 



89.149.249.196 www.google.co.za 

89.149.249.196 www.google.be 

89.149.249.196 www.google.gr 

89.149.249.196 www.google.at 

89.149.249.196 www.google.se 

89.149.249.196 www.google.ch 

89.149.249.196 www.google.pt 

89.149.249.196 www.google.dk 

89.149.249.196 www.google.fi 

89.149.249.196 www.googie.ie 

89.149.249.196 www.google.no 

89.149.249.196 www.google.co.in 

89.149.249.196 search.yahoo.com 

89.149.249.196 us.search.yahoo, com 

89.149.249.196 uk.search.yahoo, com 
- [19Jinstaller.0028.exe - Result: 9/42 (21.43 %) 

File size: 43735 bytes 

MD5...: a6d7073b8b9bc0dc539605914c853da2 
SHA1..: 1940b6a6b2f93b44633ef04eab900e0a9dc6fa64 


HOSTS file modification: 



AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 


84.16.244.60 www.google.com 

84.16.244.60 us.search.yahoo.com 
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84.16.244.60 uk.search.yahoo.com 

84.16.244.60 search.yahoo.com 

84.16.244.60 www.google.com.br 

84.16.244.60 www.google.it 

84.16.244.60 www.google.es 

84.16.244.60 www.google.co.jp 

84.16.244.60 www.google.com.mx 

84.16.244.60 www.googie.ca 

84.16.244.60 www.google.com.au 

84.16.244.60 www.google.nl 

84.16.244.60 www.googie.co.za 

84.16.244.60 www.google.be 

84.16.244.60 www.googie.gr 

84.16.244.60 www.google.at 

84.16.244.60 www.google.se 

84.16.244.60 www.google.ch 



84.16.244.60 www.google.pt 

84.16.244.60 www.google.dk 

84.16.244.60 www.google.fi 

84.16.244.60 www.google.ie 

84.16.244.60 www.google.no 

84.16.244.60 www.google.de 

84.16.244.60 www.google.fr 

84.16.244.60 www.google.co.uk 

84.16.244.60 www.bing.com 

- [20Jinstaller.0022.exe - Result: 9/42 (21.43 %) 

File size: 43731 bytes 

MD5...: 62464b9e367a9edb06541a2a90931157 
SHA1..: 425c859a883900ccf5cf7b8a6a5f6bc9279d763c 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

84.16.244.15 www.google.com 

84.16.244.15 us.search.yahoo.com 

84.16.244.15 uk.search.yahoo.com 

84.16.244.15 search.yahoo.com 

84.16.244.15 www.google.com.br 



84.16.244.15 www.google.it 

84.16.244.15 www.google.es 

84.16.244.15 www.google.co.jp 

84.16.244.15 www.google.com.mx 

84.16.244.15 www.googie.ca 

84.16.244.15 www.googie.com.au 

84.16.244.15 www.google.nl 

84.16.244.15 www.googie.co.za 

84.16.244.15 www.google.be 

84.16.244.15 www.googie.gr 

84.16.244.15 www.googie.at 

84.16.244.15 www.google.se 

84.16.244.15 www.google.ch 
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84.16.244.15 www.google.pt 

84.16.244.15 www.googie.dk 

84.16.244.15 www.googie.fi 

84.16.244.15 www.google.ie 

84.16.244.15 www.google.no 

84.16.244.15 www.google.de 



84.16.244.15 www.google.fr 

84.16.244.15 www.google.co.uk 

84.16.244.15 www.bing.com 

The payment gateway structure+related domains for the 
sea re ware campaigns: 

- fast-payments.com/index.php?prodid=antus 02 01 

Sea fid = - 91.188.59.27 - Email: jclarke980@gmail.com 

- nsl.fastsecurebilling.com - 91.188.59.26 - Email: 
jclarke980@gmail. com 

- easypayments-oniine.com - 91.188.59.28 - Email: 
jclarke980@gmail. com 

- fast-payments.com - 91.188.59.27 - Email: 
jclarke980@gmail. com 

- billingonline.net - 91.188.59.29 - Email: 
kevbush@billingonline. net 

- billsolutions.net - 91.188.59.25 

In respect to the IPs used in HOSTS file modification, one is 
of particular interest - 89.149.210.109, as it was first 
profiled in November, 2009's "[. 21]Koobface Botnet's 
Scareware Business Model - Part Two 11 with MD5: 
0fbfla9f8e6e305138151440da58b4fl modifying HOSTS 
file using the same IP, and also phoning back to the 

Koobface gang's 1.0 hardcore C &C - 

urodinam.net/8732489273.php 


When it comes to cybercrime, there's no such thing as a 
coincidence. What's static is the [22]interaction between 



the usual suspects, systematically switching hosting 
providers, introducing new domains, and [23]conveniently 
denying their monetization tactics. 

You wish. 

Profiled AS6851, BKCNET/Sagade Ltd. activity: 

[24] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[25] Dissecting the Mass Dream Host Sites Compromise 

[26] Spamvertised iTunes Gift Certificates and CV Themed 
Malware Campaigns 

[27] Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign 

[28] Facebook Photo Album Themed Malware Campaign, 
Mass SQL Injection Attacks Courtesy of AS42560 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. httD://cidr-reDort.or a/c ai-bin/as-reDort?as=AS6851 

2. htto://ddanchev. bio as oot. com/2010/05/dissectina-mass- 
dreamhost-sites. html 

3. httos://zeustracker. abuse, ch/monitor. oh o?as=6851 

4. htto://ddanchev. bio as oot. com/2009/09/koobface-botnets- 
scareware-business.html 

5. htto://ddanchev.bio as oot.com/2009/11/koobface-botnets- 
scareware-business. html 


















6. htto.V/ddanchev.blo as oot.com/2010/02/diverse-oortfolio- 
of-scarewareblackhat. html 


7. http://www.zdnet.com/bloa/securit v/c vbercriminals- 
promotina-malware-friendlv-search-enaines/3333 

8 . 

http: //www. virustotal. com/analisis/2f7a 750463ce8761961 a4 

80848852a8a55921a23d76d8cf3f03c8a9cd3d32bdc-12791 
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9. 

http://www. virustotal.com/analisis/1050612d6924e758d96ec 

804e3cbbal5da8e6c4ale9adfae843049868c209104-12791 

16135 

10. http://draft, blo g ger, com/ 
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11 . 

htto://www. virustotal. com/analisis/cfc4154006fa002a88b461 

d9180399el de372a Qab9f5d7eff31 b526e 748bee 7f-12 791 

16145 

12 . 

http://www. virustotal.com/analisis/5a9efl 7967e0ddb3844bl 

31 cf8c7d3bda8762c6d5 70135915b41 eae23f0e324e-12791 
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13. 

http://www. virustotal. com/analisis/3d46cfdl3el3885cl97b03 




























a5c53c3clf82ee6fbl3bfecede24d949e0e0f22d22-12791 
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14. 

httos://www. virustotal. com/analisis/7ddccdcecc3c6024c7e51 

25e418564cl d9223fd8c92651 dd65f7174645a55d8d-12791 
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15. 

http:7/www. virustotal. com/analisis/860dbea5099326fl589efd 

69a89558fl 8961 ee48fac3693313fc774f41818ff0-12 791 
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Sampling Malicious Activity inside Cybercrime- 
Friendly Search Engines (2010-07-15 17:44) 

UPDATED, Friday, July 16, 2010 - Directi has suspended 
the domains portfolio of the cybercrime-friendly search 
engines. 

[ 1 JCybercrime-friendly search engines are bogus search 
engines, which in between visually social engineering their 
users, offer fake results leading to client-side exploits, bogus 
video players dropping more malware, sea re ware, next to 












































































































































the pharmaceutical scams, and domain farms neatly 
embedded with Google AdSense scripts for monetization. 

In the majority of cases - whenever blackhat SEO is not an 
option - end users are exposed the their maliciousness once 
they get infected with malware redirecting each and every 
request to popular search engines such as Google, Yahoo and 
Bing to the malicious IPs/domains operated by the 
cybercriminals. 

As far as their monetization tactics are concerned, fellow 
cybercriminals are free to purchase any kind of key¬ 
word they want to, for instance "spyware", make it look like 
the end user is clicking on security-vendor.corn's site, 1456 


Related Searches 


ispywarei 


Search 


Spyware Sur/eil 

Top 10 Spyware Removal 

Addware And Sovware 

Registry Have Spyware 

Microsoft Spyware 

Sovware Doktor 

Spyware Stomer 

Spyware Removal 

Sovware Remover 
Music Downloads No 

Spyware 


Recent Searches 

Penny Stock Investing 

Invest In Slocks 
Buying Google Stock 

Investing Stock 

Isdn Voip 


Search results: spyware 

Results 

1 Get Rid Of Spyware Now 

Does your computer have spyware on it? Protect your computer and get rid of it now. 

http //www wiinjamod com 

2 Best mobile phone offers ! 

Ringtones. Graphics. Wallpaper. Games. Text 
http //mob4world com 

3 Spyware Removal Download - Download Now 

Award-winning Spyware Remover Scans & removes Spyware Download now! 

http//trafgo biz 

4 Best Spyware Removal 

Most highly awarded anti-spyware Free, safe accurate spyware scan 

http//spytds com 

5 Free Viagra Online! 

Viagra is used to cure erectile dysfunction by relaxing the body muscles and increasing the 
blood flow to various parts of the body including a man&apos.s penis 

http //www freeviagraonline com 

6 2008 Free Spyware Removal 

Top Ranked As Seen on USA Today Detect & Remove Spyware and Virus 

http//CyberDefender com 

7. Spyware Free 

Protect Your PC From Spyware Viruses & Other Threats 

http7/Spyware-Free net 



























whereas upon clicking, based on his physical location a 
particular type of malicious activity takes place. 


Remember the HOSTS file modification taking place courtesy 
of the malware at [2]AS6851, BKCNET, Sagade 

Ltd. , and in particular the [3]Koobface gang related IP 

89.149.210.109? Sampling the malicious activity within the 
search engines parked/forwarded (DNS recursion) from this 
IP, results in client-side exploits, bogus video players 
dropping malware, and sea re ware, and that in less than 5 
minutes of testing. 

The cybercrime-friendly domains in question: 

searchclickl.com - Email: d.bond@maii.ru - 78.159.112.46 

- AS28753 

searchclick2.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchclick3.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchciick4.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchclick5.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchclick6.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchclick7.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 

searchclick8.com - Email: d.bond@mail.ru - 78.159.112.46 

- AS28753 



searchclick9.com - Email: d.bond@mail.ru - 78.159.112.46 
- A528753 


searchclicklO.com - Email: d.bond@mail.ru - 
78.159.112.46 - AS28753 

searchmeup4.com - 78.159.112.46 - AS28753 
zetaclicks4.com - 78.159.112.46 - AS28753 
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websafeciicks.com - Email: d.bond@mail.ru - 
78.159.112.46 - AS28753 

Internal redirections reading to malicious take place 
through the following domains: 

7search.com - 12.171.94.40 - Email: 
webadmin@7search, com 

greatseeking.com, superfindmea.info - 213.174.154.9 - 
Email: serdukov.art@gmaii.com 

superseeking.org - 213.174.154.9 - Email: 
serduko v. art@gmaii. com 

searching4all.com, pharmc9.com - 66.230.188.68 - 
Email: abuse@click9.com 

syssmessage.com; sysstem-mesage.com; sys- 
mesage.com; potectmesage.com - 91.188.59.62 - Email: 
roroalek-sey@gmail. com 

xml.click9.com/click.php - 66.230.188.67 - Email: 
abuse@click9. com 



sunday-traffic.com/in.php - 74.52.216.46 - Email: 
tech@add-manager. com 

efindsite.info/search2.php - 74.52.216.46 

greatseeking.com/search2.php - 213.174.154.9 - Email: 
serduko v. art@gmaU. com 

n-traff.com/ciickn.php - 64.111.208.39 

going-to-n.com/ciickn.php - 64.111.208.38 

everytds.tk/in.cgi?3= &ID=19504; onlyscan.tk; 
pornstaar.tk; dotroot.tk - 94.100.31.26 

Internal pharmaceutical redirections take place through the 
following domains: 

medsbrands.com - 74.52.216.46 - Email: tech@add- 
manager. com 

thepilisdiscounts.info - 74.52.216.46 - Email: tech@add- 
manager. com 

yourcatalogonline.biz - 74.52.216.46 
bestderden.org - 74.52.216.46 

Internal redirections reading to malicious take place through 
the following IPs: 

199.80.55.19/go. php ?da ta= 

199.80.55.80/go. php ?da ta= 

78.140.141.18/kkk.php 

78.140.143.83/go. php 



64.111.212.234/c.php 
64.111.196.126/c.php 
66.230.188.67 
68.169.92.61/c.php 
68.169.92.60/c.php 
68.169.93.242/c. php 
68.169.92.55/c.php 
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1 Start fV otoctO n 


Sample malicious activity consists of sea re ware 
campaigns, client-side exploits, and bogus video 
players dropping malware. 


Upon visiting the bogus PornTube at vogei- 
tube.com/xfreeporn.php?id= -66.197.187.118 (the-real- 
tube- 



















best.com great-celebs-tube.net parked there) - Email: 
admin@thenweb.com the use is tricked into manu¬ 
ally installing basemultimedia.com/video- 
plugin.45309.exe - 66.197.154.21 
(visualbasismedia.com) - Email: joe@silentringer.com 

- Detection rate 

[4Jvideo-plugin.45309.exe - Downloader-CEW.b, Result: 
6/42 (14.29 %) 

File size: 113152 bytes 

MD5...: 25e644171bf9ee2a052b5fa71f8284e5 

SHA1..: e4ac01534c7clb71 d2a38cf480339d31 db!87ecb 

Upon execution, the sample phones back to: 

best-arts-2010.com - 216.240.146.119 - Email: 

hello-arts.com - 64.191.44.73 - Email: 

youngfinearts.com - 64.20.35.3 - Email: 

newchannelarts.com - 64.191.64.105 - Email: 

vrera.com/oms.php - 208.43.125.180 - Email: 

allxt.com/borders.php - 64.191.82.25 

Parked at 216.240.146.119, AS7796 are also: 

best-arts-2010.com - Email: aurora@seekrevenue.com 

crystaldesignlab.com - Email: 
tamara. watson@chemist.com 



homegraphicarts.com - Email: elizabethj@theplate.com 

mediaartsplaza.com - Email: darhom@lendingears.com 

morefinearts.net - Email: vdickerson37@yahoo.com 

photoartsworld.com - Email: margaret 
_adams@rocketmail. com 

pinehousearts.com - Email: jgaron@physicist.net 
sunnyartsite.com - Email: jbowker@blader.com 
thefanarts.com - Email: keasler@surferdude.com 
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Half-Price 


1 - 866 - 417-8358 


ScArck 


PHARMACY 

Home • Generic vs Brand drugs • FAQ • Loyally Program • Affiliates • About us • Contact us • Health articles • Ask a Doctorl 

Categories 

welcome to our pharmacy 


Went Heart 
Premature EjacU 


grand Cisks 
Brand Levtra 
Brand V«gra 
Genenc Vogra 
Kamegra 
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Genenc Ooatnex 
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Anb-oepreeeanta 
Genenc Prozac 
Genenc Zoloft 
Anbbceca 

Genenc Zfftromax 
QuC Srnotorvg 
Genenc 2yt>an 




Genenc Viagra SOmg 
, 120 pills 

'$149 



Generic Cialis 20mg 

70 pills 

$149 



Generic Levrtra 20mg 

60 pills 

$149 



Generic Viagra 50mg 


Generic Cialis 20mq 


# 


Tested - 2010-Ju1-12 


100% 

SATISFACTION 


Top SELLERS with best cash value for orders below $200 Currency Converter 


Choose a currency 6e*ow to 
oepey product puces n the 
selected currency 

■ USOoie' 

■ Curo 

M Pound 

Current Top Sellers 


waycooiart.com - Email: blynch@net-shopping.com 
woodsmayart.com - Email: raymo@songwriter.net 










garner.funtaff.com - Email: dph@greentooth.net 

Parked at 64.191.44.73, AS21788 are also: 

auctionhouseart.com - Email: emerynancy@ymail.com 

bestmalearts.com - Email: mcfarlin@religions.com 

coolcatart.com - Email: pbiron@catlover.com 

freesurrealarts.com - Email: ghuertas@rocketmail.com 

goldfireart.com - Email: thysell@gardener.com 

greatmovieart.com - Email: linger@theplate.com 

worldartsguide.com - Email: ghagen@allergist.com 

instaii.netwaq.com - Email: 
admin@overseedomainmanagement.com 

Parked at 64.20.35.3, A519318 are also: 

artscontact.net - Email: mschneider@doctor.com 

catbodyart.com - Email: pbiron@catlover.com 

feearts.com - Email: breckenridge56@hotmail.com 

freefiasharts.com - Email: russell@clubmember.org 

gardendesignart.com - Email: jasona@gardener.com 

greatfiashstudies.com - Email: jdeal@worshipper.com 

superlegoarts.com - Email: jdeal@worshipper.com 

thedigitalarts.com - Email: hoffman@theaterpillow.com 



virginmegaart.com - Email: hoffman@theaterpillow.com 
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bestarts-2010.com 



216 240 144 0/20 

gamer.funtaff com 


AS ► AS7796 


Related malicious domains sharing the same DNS 
infrastructure: 

iransa tne ws. org 

best-arts-2010.com - Email: aurora@seekrevenue.com 
mediasite2010.com - Email: webmaster@pullstraws.com 
setlamedia.com - Email: monro@eclipsetool.com 
doubiesetmedia.com - Email: monro@eclipsetool.com 






thetestmedia.com - Email: webmaster@maidnews.com 
trinitytestmedia.com - Email: webmaster@maidnews.com 
i-metodika.com - Email: facovskiy _ _n _ _1977@rambler.ru 

iffic.com 

moviefactinc.com - Email: usa@crystals.com 
newdataltd.com - Email: wenzel@techie.com 
new-2010-tube.com - Email: fortney@petiover.com 
super-worid-tube.com - Email: fortney@petlover.com 
real-good-tube.com - Email: fortney@petlover.com 
green-real-tube.com - Email: sanctim59@yahoo.com 
sensual-tube.com - Email: sanctim59@yahoo.com 
webfiimoffice.com - Email: pam@skunkalert.com 
xxl-tube-home. com 
no wsearchonline. com 

localmediasearch.com - Email: mega@stockdvds.com 
mediaonsearch.com - Email: mega@stockdvds.com 
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searchdickl 0. com /c. php?id=758c63496d011 d6c068e90e8bf 18e6da&PHPSESSID=4gep2co220obtd3... 
64.111.212.234 /c. php?s=eNo 1 iMsOqso WRT-IRIoqiqIau6HiAxRERRQ7 Jzy qBEHe8gof f9w397RWZ jL... 

68.169.92.55 /c.php?re=l&r=eNollMsOqsoWRT-IRIoqiqIau6HiAxRERRQ7JzyqBEHe8goff9w397... 
going-to-n .com /dickn. php?f b=W VRveU9udHpPamc2SW5 Welp YSmtZWF JoS Wp0aE9qRTRPbnR6T2... 
every tds. tk /in. cgi?3=8tID= 19504&fb=WVRveU9udHpPamc2SW5Welp YSmtZWF JoS Wp0aE9qTT... 
xoxipemej.cn /gr/sl/ 

xoxipeme j. cn / gr/s 1 /?e=s 1 &id=MSIE&f id= 12673240&pid=2&v=7.0 
xoxipemej. cn /gr/s 1 /?e=s 18dd=MSIE&v=7.0&pid=3&f id=12673240 
xoxipemej. cn /gr/s 1 /?id=MSIE8ae=s 1 &v=7. O&f id= 12673240&pid=4 

xoxipemej. cn / gr/6af 22bc4ac 1 df946456a5430b36f 731 f. php?pid=2&f id= 12673240&e=s 1 &._ 


mesghal.com - Email: shahnamgolshany@yahoo.com 

niptoon.com 

mydvdinfo.com - Email: usa@crystais.com 

receptionist-pro. com 
hitinto.com 

importedfoodscorp.com - Email: 
apompeo@importedfoodscorp. com 

newhavenfiies.com - Email: wenzei@techie.com 

waiterwagnerassocia tes. com 

excellentutiiites.com - Email: wentexkino@ymail.com 

pengs.com 

livingwithdragons.com - Email: gregory@lamerton.ltd.uk 

amigroups. com 
iransa tne ws. com 

dvddatadirect.com - Email: friese@toke.com 
itiist.com - Email: support@gossimer.biz 




gossimer.net - Email: support@gossimer.biz 

Following the bogus dropper, the cybercriminals are also 
directly serving client-side exploits to users seeking for 
security related content. In this case, the exploits/malware 
are served from xoxipemej.cn/gr/sl/ -178.63.170.185 - 

Email: shiwei_ fang77@126. com. 

- Detection rate: 

[5J.exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62 %) 

File size: 53760 bytes 

MD5...: 23244c5b5b02fab65b3a 7ab51005fd51 

SHA1..: a5flal0344378f2c8fl3c266dce39247ba3bae5f 
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bbbinvestigabon org 



Parked on the same IP 178.63.170.185, AS24940 are also: 
2011traff.com - Email: MillieDiaz4@aol.com 
2011-traff.com - Email: MillieDiaz4@aol.com 
bbbinvestigation.org - Email: accounting@moniker.com 
best-sofa-choice.com - Email: migray71@yahoo.com 
celloffer-2015.com - Email: migray71@yahoo.com 
fiying-city-2011.com - Email: migray71@yahoo.com 
jiujitsufgua.com - Email: varcraft@care2.com 




jopaduloz.cn - Email: qing_hongwei@126.com 

lokexawan.cn - Email: shiwei_fang77@126.com 

mapozeloq.cn - Email: shiwei_fang77@126.com 

melonirmonianmonia.com - Email: 
accounting@moniker. com 

mivaqodaz.cn - Email: shiwei_fang77@126.com 
nasnedofweiggyt.com - Email: roller_59@hotmail.com 
redolopip.cn - Email: shiwei_fang77@126.com 
redspot2010.com - Email: migray71@yahoo.com 
rohudufoj.cn - Email: qing _hongwei@126.com 
sujelodos.cn - Email: qing_hongwei@126.com 
traff2011.com - Email: MillieDiaz4@aol.com 
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traff-2012.com - Email: MillieDiaz4@aol.com 

uweyujem.com - Email: resumemolars@live.com 

viwuvefot.cn - Email: shiwei_fang77@126.com 

wkeuhryyejt.com - Email: excins@iname.com 

xoxipemej.cn - Email: shiwei_fang77@126.com 

Last, but not least is the sea re ware infection taking place 
through wwwl.warezforyou24.co.cc/?p=p52 - 



114.207.244.146; 114.207.244.143; 114.207.244.144; 
114.207.244.145. Parked on these IPs is also an exten¬ 
sive portfolio of related sea re ware domains. 

- Detection rate: 

[6]packupdatel07_231.exe - 

Suspicious: W32/Ma/ware! Gem ini, Result: 3/42 (7.15 %) 

File size: 238080 bytes 

MD5...: 93517875c59ac33dab655bc8432b0724 

SHA1..: 774af049406baeef342 7b91 a2d67ee0250b2b51 b 

Upon execution the sample phones back to: 

update2.cleanupyoursoft.com - 209.222.8.101 - Email: 
gkook@checkjemaU. nl 

updatel.soft-cleaner.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

securel.smartavz.com - 91.207.192.26 - Email: 
gkook@checkjemaU. nl 

report.mygoodguardian.com - 93.186.124.94 - Email: 
gkook@checkjemaU. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemaU. nl 

update2.soft-cleaner.net - 209.222.8.100 - Email: 
gkook@checkjemaU. nl 

report.mytrueguardian.net - 79.171.23.150 - Email: 
gkook@checkjemaU. nl 



secure2.smartavz.net - 217.23.5.99 - Email: 
gkook@checkjemail. nl 

updatel.free-guard.com - Email: gkook@checkjemail.nl 

report.mygoodguardian.com - 93.186.124.94 - Email: 
gkook@checkjemail. nl 

updatel.soft-cleaner.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

update2.soft-cleaner.net - 209.222.8.100 - Email: 
gkook@checkjemaU. nl 

report.mytrueguardian.net - 79.171.23.150 - Email: 
gkook@checkjemail. nl 

The cybercrime-friendly domains portfolio is in a process of 
getting suspended. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8Jon Twitter. 

1. httD://www.zdnet.com/bloa/securit v/c vbercriminals- 
promotina-malware-friendlv-search-enaines/3333 

2. htto://ddanchev.blo as oot.com/2010/07/exploits-malware- 
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SS2 Amazon 

SSb delivers 

Verify Your New E-maii Address 


amazoncom 


Dear 

You recently changed your e-mail address at Amazon.com. Since you are a subscriber of 
Amazon.com Delivers E-mail Subscriptions, you will need to verify your new e-mail address. 

Please verify that the e-mail address belongs to you. You can click on the 

link below to complete the verification process. 

Confirm 

Alternatively, you can type or paste the following link into your Web browser: 

http://www.amazon.com 


If you no longer wish to receive Amazon.com Delivers E-mail Subscriptions, you can unsubscribe here . 

Please note that this message was sent to the following e-mail address: 

Help | Conditions of Use | Privacy Notice © 1995-2006, Amazon.com, Inc or its affiliates. 

Spamvertised Amazon "Verify Your Email", "Your 
Amazon Order" Malicious Emails (2010-07-16 21:17) 

And they're back (Gumblar or RUmblar due to the extensive 
use of .ru domains) for a decent start of the weekend - 

switching social engineering themes one more time, this 
time impersonating Amazon.com 

• NOTE: A summary of the malicious payload served will be 
posted at a later stage. Meanwhile, in order to facilitate 
quicker response, a complete list of the domains 
participating will be featured/disseminated across 

the appropriate parties. 

- Sample subject: Amazon.com: Please verify your new e- 
mail address 

- Sample message: " Dear email, You recently changed 
your e-mail address at Amazon.com. Since you are a 
subscriber of Amazon.com Delivers E-mail Subscriptions, you 
will need to verify your new e-mail address. Please verify 











that the e-mail address email belongs to you. You can dick 
on the link below to complete the verification process. 
Alternatively, you can type or paste the following link into 
your Web browser: http://www.amazon.com" 
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AS ► AS24806 


Client-side exploitation is taking place through, for instance, 

crystalrobe. ru: 




8080/index.php?pid= 14 and 

hillchart.com: 8080/index.php?pid=14. As seen in 
previous campaigns, this one is also sharing an identical 
directory structure, such as: 

malicious-domain, com :8080/index.php ?pid=2 

malicious-domain.com :8080/Notesl.pdf (Notes 1-to 
Notesl0.pdf) 

malicious-domain, com :8080/Ne wCames.jar 

malicious-domain, com :8080/Cames.jar 

malicious-domain.com :8080/Appletl.html (Appletl 
to-Appletl O.html) 

malicious-domain, com :8080/welcome.php ?id= 6 
&pid=l &hello=503 

crystalrobe.ru :8080/index.php?pid= 14 

crystalrobe. ru :8080/jquery.jxx?v=5.3.4 

crystalrobe.ru :8080/new/controller.php 

crystalrobe.ru :8080/js.php 
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crystalrobe.ru :8080/welcome.php?id=6 &pid=l 
&hello=503 

crystalrobe.ru :8080/welcome.php?id=0 &pid=l 

Client-side exploits serving domains ( 94.23.231.140; 
91.121.115.208; 94.23.11.38; 94.23.224.221; 
94.23.229.220) part of the campaign: 


applecorn.com - Email: es@qx8.ru 
areadrum.com - Email: qx@freenetbox.ru 
busyspade.com - Email: baffle@freenetbox.ru 
cafemack.com - Email: soy@qx8.ru 
clanday.com - Email: elope@fastermail.ru 
dnsofthost.com - Email: depot@infotorrent.ru 
drunkjeans.com - Email: runway@5mx.ru 
earlymale.com - Email: amply@maillife.ru 
galslime.com - Email: soy@qx8.ru 
1467 

gigasofa.com - Email: grind@fastermail.ru 
hillchart.com - Email: soy@qx8.ru 
hugejar.com - Email: runway@5mx.ru 
ionicclock.com - Email: kin@maillife.ru 
lasteye.com - Email: ampiy@maillife.ru 
luckysled.com - Email: kin@maillife.ru 
macrotub.com - Email: dodge@5mx.ru 
oldgoal.com - Email: kin@maillife.ru 
outerrush.com - Email: amply@maillife.ru 
quietzero.com - Email: grind@fastermail.ru 



radiomum.com - Email: es@qx8.ru 
roundstorm.com - Email: es@qx8.ru 
sadute.com - Email: grind@fastermaii.ru 
sheepbody.com - Email: es@qx8.ru 
shinytower.com - Email: cord@maillife.ru 
splatspa.com - Email: eiope@fastermaii.ru 
tanspice.com - Email: dodge@5mx.ru 
tanyear.com - Email: grind@fastermail.ru 
tightsales.com - Email: runway@5mx.ru 
tuneblouse.com - Email: es@qx8.ru 
validplan.com - Email: dodge@5mx.ru 
waxyblock.com - Email: cord@maillife.ru 
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allnext.ru - Email: swipe@maillife.ru 
barnsoftware.ru - Email: people@big mail box. 
bestbidline.ru - Email: jody@fastermail.ru 
bestexportsite.ru - Email: orphan@qx8.ru 
bittag.ru - Email: tips@freenetbox.ru 
boozeiight.ru - Email: ole@bigmailbox.ru 


brandnewnet.ru - Email: orphan@qx8.ru 
cangethelp.ru - Email: iiver@freenetbox.ru 
chainjoke.ru - Email: ole@bigmaiibox.ru 
comingbig.ru - Email: swipe@maillife.ru 
countypath.ru - Email: liver@freenetbox.ru 
crystalrobe.ru - Email: people@bigmailbox.ru 
cupjack.ru - Email: tips@freenetbox.ru 
dealyak.ru - Email: people@bigmailbox.ru 
eyesong.ru - Email: tips@freenetbox.ru 
1469 

familywater.ru - Email: ole@bigmailbox.ru 
funsitedesigns.ru - Email: orphan@qx8.ru 
galneed.ru - Email: people@bigmailbox.ru 
girllab.ru - Email: tips@freenetbox.ru 
greedford.ru - Email: ole@bigmailbox.ru 
guntap.ru - Email: tips@freenetbox.ru 
heroguy.ru - Email: ole@bigmailbox.ru 
homecarenation.ru - Email: orphan@qx8.ru 
homesitecam.ru - Email: orphan@qx8.ru 
hookdown.ru - Email: crag@maillife.ru 



horsedoctor.ru - Email: ole@bigmailbox.ru 
jarpub.ru - Email: ole@bigmailbox.ru 
liplead.ru - Email: ole@bigmailbox.ru 
iivesitedesign.ru - Email: orphan@qx8.ru 
mansbestsite.ru - Email: orphan@qx8.ru 
marketholiday.ru - Email: people@bigmailbox. 
metaispice.ru - Email: ole@bigmailbox.ru 
mingieas.ru - Email: crag@maillife.ru 
motherfire.ru - Email: people@bigmailbox.ru 
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musicbestway.ru - Email: jody@fastermail.ru 
musicsiteguide.ru - Email: crag@maillife.ru 
netbesthelp.ru - Email: liver@freenetbox.ru 
netwebinternet.ru - Email: dibs@freemailbox. 
newagedirect.ru - Email: orphan@qx8.ru 
newhomelady.ru - Email: orphan@qx8.ru 
newinfoworld.ru - Email: orphan@qx8.ru 
newworldunion.ru - Email: orphan@qx8.ru 
ourfreesite.ru - Email: orphan@qx8.ru 


panlip.ru - Email: tips@freenetbox.ru 
pantscow.ru - Email: ole@bigmailbox.ru 
problemdollars.ru - Email: people@bigmailbox.ru 
raceobject.ru - Email: people@bigmailbox.ru 
silencepill.ru - Email: ole@bigmailbox.ru 
sisterqueen.ru - Email: ole@bigmailbox.ru 
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siaveday.ru - Email: ole@bigmailbox.ru 
stareastwork.ru - Email: next@fastermail.ru 
superblenderworld.ru - Email: crag@maillife.ru 
superhoppie.ru - Email: soft@bigmailbox.ru 
supertruelife.ru - Email: edsel@fastermail.ru 
superwestcoast.ru - Email: crag@maillife.ru 
theantimatrix.ru - Email: ole@bigmailbox.ru 
tintie.ru - Email: swipe@maillife.ru 
topmediasite.ru - Email: tips@freenetbox.ru 
treecorn.ru - Email: tips@freenetbox.ru 
trueblueally.ru - Email: soft@bigmailbox.ru 
trueblueberyl.ru - Email: soft@bigmailbox.ru 
tunemug.ru - Email: tips@freenetbox.ru 



ushead.ru - Email: crag@maillife.ru 
westbendonline.ru - Email: edsel@fastermail.ru 
yaktrack.ru - Email: ole@bigmailbox.ru 
yournewonline.ru - Email: orphan@qx8.ru 
yourtolltag.ru - Email: orphan@qx8.ru 
yourtruecrime.ru - Email: soft@bigmailbox.ru 
zooneed.ru - Email: ole@bigmailbox.ru 
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Name servers of notice: 

nsl.dnsofthost.com - 81.2.210.98 

ns2.dnsofthost.com - 194.79.88.121 

ns3.dnsofthost.com - 67.223.233.101 

ns4.dnsofthost.com - 85.214.29.9 

The NAUNET-REG-RIPN domain registrar, although, having 
already registered over a [1] 100 ZeuS crimeware 

friendly domains, there's little chance they'll take action. 
Updates, including take down/remediation actions will be 
posted as soon as they emerge. 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 


1. https://zeustracker abuse, ch/monitor. oho? 
re gistrar=NAUNET-REG-RIPN 

2. htto://ddanchev.blo as oot.com/ 

3. htto://twitter.com/danchodanchev 
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Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign (2010-07-19 20:26) 

Over the weekend, a " Scan from a Xerox WorkCentre Pro" 
themed malware campaign relying on zip archives, was 
actively spamvertised by cybecriminals seeking to infect 
gullible end/corporate users. 

What's particularly interesting about this campaign, is the 
cocktail of malware dropped on infected hosts, in¬ 
cluding Asprox sample ([1] Money Mule Recruiters use 
ASProx's Fast Fluxing Services ), and two separate 
samples of Antimalware Doctor. 

- Sample subject: Scan from a Xerox WorkCentre Pro 
$9721130 

- Sample message: " Please open the attached document. 
It was scanned and sent to you using a Xerox WorkCentre 
Pro. 

Sent by: Guest 
Number of Images: 1 
Attachment File Type: ZIP [DOC] 







WorkCentre Pro Location: machine location not set Device 
Name: XRX2090AA7ACDB45466972. For more in¬ 
formation on Xerox products and solutions, please visit 
http://www.xemx. com " 

- Detection rates: 

- [2]Xerox_docl.exe - Trojan. Win32.Jorik.Oficla.bb - Result: 
34/42 (80.96 %) 

File size: 30926 bytes 

MD5...: Id378a6bc94d5b5a702026d31 c21 e242 
SHA1..: 545e83f547d05664cd6792e254b87539fba24eb9 

- [3]Xerox _doc2.exe - Trojan. Win32.Jorik.Oficla.ba - Result: 
34/42 (80.96 %) 

File size: 43520 bytes 

MD5...: 829c86d4962fl 86109534b669ade4 7d7 
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SHA1..: 5d3d02d0f6ce87cd96a34b73dc395460d623616e 

The samples then phone back to the Oficla/Sasfis C &Cs at 

hulejsoops.ru/images/bb.php?v=200 &id=554905388 

&b=avpsales &tm=3 - 91.216.215.66, AS51274 - Email: 
mxx3@yandex.ru which periodically rotates three different 
executables using the following URLs: 


0815.ch /pic/view.exe 


curseri.ch /pictures/securedupdaterfix717.exe 
regionalprodukte-beo.ch /about/cgi. exe 

Backup URLS: 

leeitpobbod.ru/image/bb.php - 59.53.91.195, AS4134 - 
Email: mxx3@yandex.ru - dead response 

loloohuildifsd.ru/image/bb.php - 68.168.222.158 - Email: 
mxx3@yandex.ru - dead response 

nemohuildifsd.ru/image/bb.php - 59.53.91.195 
(nemohuildiin.ru, 

russianmomds. ru), 

AS4134 - Email: 

mxx3@yandex.ru - dead response 

Let's take a peek at the samples found within the C &C. 

[4Jview.exe - Trojan. Win32.Jorik.Aspxor.e - Result: 11/42 
(26.2 %) 

File size: 79360 bytes 

MD5...: 5d296felef7bf67f36fe9adb209398ee 

SHA1..: 41b45bcd241cd97b72d7866dl3c4a0eb6bf6a0ee 
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Upon execution, the sample phones back to well known 
Asprox C &Cs: 


[5]d63amgstart.ru: 80/board.php 

- 91.213.217.4, AS42473 - Email: ssal@yandex.ru 

[ 6 jhypervmsys. ru: 80/board.php - 89.149.223.232 
(hostagents.ru), AS28753 - Email: 
vadim. rinato vich@yandex. ru 1476 
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Previously, all of the following ASPRox domains used 
exclusively for massive SQL injections, used to respond to 

91.213.217.4: 

webservicesbba.ru - Email: anrnews@mail.ru 
webservicelupa.ru - Email: anrnews@mail.ru 
webserivcekota.ru - Email: anrnews@mail.ru 
webservicesrob.ru - Email: anrnews@mail.ru 
webserivcezub.ru - Email: anrnews@mail.ru 
webserviceforward.ru - Email: anrnews@mail.ru 
webserivcessh.ru - Email: anrnews@mail.ru 
webservicesmulti.ru - Email: anrnews@mail.ru 
webservicezok.ru - Email: anrnews@mail.ru 
webservicebal.ru - Email: anrnews@mail.ru 
webservicefull.ru - Email: anrnews@mail.ru 
webservicessl.ru - Email: anrnews@mail.ru 
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webserviceaan.ru - Email: anrnews@mail.ru 

webservicedevlop.ru - Email: anrnews@mail.ru 

webserviceftp.ru - Email: anrnews@mail.ru 

hypervmsys.ru - Email: anrnews@mail.ru 

webserviceget.ru - Email: anrnews@mail.ru 

webserviceskot.ru - Email: anrnews@mail.ru 

cl63amgstart.ru - Email: ssal@yandex.ru 

ml63amgstart.ru - Email: ssa21@yandex.ru 

webservicesttt.ru - Email: anrnews@mail.ru 

webservicenow.ru - Email: anrnews@mail.ru 

webservicekuz.ru - Email: anrnews@mail.ru 

Currently, the gang's migrating this infrastructure to 
109.196.134.58, A539150, VLTELECOM-AS VLineTelecom 
LLC Moscow, Russia. 

AH of these domains+subdomains sharing the same js.js 
directory structure, which upon visiting loads URLs such as 

(accesspad.ru :8080/index.php?pid=6) with the rest of 
the domains sharing the same infrastructure as the ones 
profiled in "[7]Spamvertised Amazon "Verify Your 
Email", "Your Amazon Order" Malicious Emails" post: 
access, webservicebal.ru 

admin, webserivcekota.ru 

a pi. webserivcessh.ru 



app. webserviceforward.ru 
app. webservicesrob.ru 
base, webserviceftp.ru 
batch, webserviceaan.ru 
batch, webservicebal.ru 
bios, webservicesbba.ru 
block, webserviceaan.ru 
block, webservicesrob.ru 
cache, webservicesbba.ru 
cache, webservicesmulti.ru 
chk. webservicezok.ru 
cmdid. webserivcezub.ru 
code, webservicesbba.ru 
com. webserivcekota.ru 
com. webservicedevlop.ru 
ddk. webservicesrob.ru 
default, webservicezok.ru 
diag. webserviceftp.ru 
direct, webserviceftp.ru 
dll. webservicelupa.ru 



drv. webservicebal.ru 


drv. webservicesrob.ru 
encode, webservicefull.ru 
err. webserivcessh.ru 
export, webservicedevlop.ru 
ext. webserviceaan.ru 
ext. webservicesbba.ru 
file, webserivcekota.ru 
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file, webserivcessh.ru 
filter, webservicedevlop.ru 
font, webservicelupa.ru 
gdi. webserviceftp.ru 
get. webservicesbba.ru 
go. webserivcekota.ru 
go. webservicefull.ru 
guid. webserivcezub.ru 
hostid. webservicesbba.ru 
host id. webservicesmulti.ru 


http, webserviceforward.ru 
icmp. webservicesbba.ru 
id. webserivcezub.ru 
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inf. webserviceaan.ru 
info, webservicedevlop.ru 
ini. webservicesrob.ru 
iocti. webservicedevlop.ru 
kernel, webservicezok.ru 
Ian. webservicefull.ru 
Ian. webservicesbba.ru 
lib. webservicebal.ru 
lib. webserviceftp.ru 
I ibid, webservicelupa.ru 
load, webservicebal.ru 
locate, webservicelupa.ru 
log. webservicelupa.ru 
log. webservicezok.ru 
log-in. webservicessi.ru 
manage, webservicesbba.ru 



map. webserivcezub.ru 
map. webservicedevlop.ru 
media, webserviceftp.ru 
mode, webservicelupa.ru 
net. webservicebal.ru 
netapi. webserviceaan.ru 
netmsg. webserivcezub.ru 
nsl.webservicelupa.ru 
ns2. webservicelupa.ru 
ntdii. webservicessl.ru 
ntio. webservicelupa.ru 
ntio. webservicezok.ru 
obj. webservicesbba.ru 
object, webserivcessh.ru 
object, webservicesmulti.ru 
oem. webservicebal.ru 
offset, webservicefull.ru 


ole. webservicesbba.ru 
org. webservicesrob.ru 
page, webserviceaan.ru 



parse, webservicebal.ru 
peer, webserviceaan.ru 
pic. webservicesbba.ru 
pool, webservicelupa.ru 
port, webservicebal.ru 
port, webservicesbba.ru 
port, webservicessl.ru 
proc. webserviceaan.ru 
proc. webservicessl.ru 
rdir. webserviceftp.ru 
redir. webservicedevlop.ru 
refer, webserivcezub.ru 
reg. webserviceaan.ru 
remote, webservicessl.ru 
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run. webserivcekota.ru 
script, webserivcezub.ru 
sdk. webserivcezub.ru 
search, webserviceaan.ru 
search, webservicedevlop.ru 



setup, webserivcezub.ru 
setup, webservicezok.ru 
snmp. webserviceforward.ru 
snmp. webservicesrob.ru 
sslcom. webserivcessh.ru 
sslcom. webservicesrob.ru 
sslid. webserivcekota.ru 
sslnet. webservicedevlop.ru 
s vc. webservicede vlop. ru 
tag. webservicebal.ru 
tag. webservicessl.ru 
tid. webserviceftp.ru 
time, webservicelupa.ru 
udp. webserviceftp.ru 
udp. webservicezok.ru 
update, webserviceftp.ru 
update, webservicefull.ru 
url. webservicesbba.ru 
url. webservicezok.ru 
vba. webservicesrob.ru 



vbs. webservicelupa.ru 
ver. webserivcekota.ru 
webserivcekota. ru 
webserivcessh.ru 
webserivcezub. ru 
webserviceaan.ru 
webservicebal. ru 
webservicede vlop. ru 
webserviceforward. ru 
webserviceftp. ru 
webservicefull. ru 
webserviceget. ru 
webservicelupa. ru 
webservicesm ulti. ru 
webservicesrob.ru 
webservicessl. ru 
webservicezok. ru 
win. webservicezok.ru 
xml. webservicefull.ru 
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Getting back to the samples rotated by the original 
campaign binary, and their detection rates, network 
interactions. 

- Detection rates: 

- [8Jsecuredupdaterfix717.exe - Trojan. Win32. Fake Yak - 
Result: 22/42 (52.39 %) 

File size: 36864 bytes 

MD5...: cdl 6d4c998537248e6d4d0a3d51 ca6de 
SHA1..: 7e36ef0ce85facl 8ecffd5a82566352ce0322589 
Phones back to: 

s.ldwn.in/inst.php?fff=7071710000 &saf=ru - 
91.188.60.236 (updget.in; wordmeat.in), [9JAS6851 - 

Email: feliciachappell@ymail. com 

boot free, in/ MainModule717releasel0000.exe - 
194.8.250.207 (flowload.in; lessown.in; sstats.in), 

AS43134 - 

Email: feliciachappell@ymail. com 

s.wordmeat.in/install.php?coid= - 91.188.60.236, 
[10JAS6851 - Email: feliciachappell@ymail.com 
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- Detection rate for MainModule717releasel0000.exe 


- [HJMainModule717releasel0000.exe - 

Trojan:Win32/FakeYak - Result: 26/42 (61.90 %) 

File size: 1043968 bytes 

MD5...: 3c30c62e9981 bd86c589744 7cb358235 
SHA1...: 36bfc285a61bcb67f2867dd303ac3cefa0e490a0 
Phones back to: 

wordmeat.in - 91.188.60.236 - Email: 
feliciachappell@ymail. com 

vismake.in - 91.188.60.236 - Email: 
kee\inge\izabeth@ymai\. com 

- Detection rate for the 3rd binary rotated in the original C 
&C: 

- [12Jcgi.exe - Trojan.inject.8960 - Result: 6/42 (14.29 %)File 
size: 62976 bytes 

MD5...: 45c062490e0fc262cl 81 efc323cb83ba 
SHA1..: bff90630f2064d7bcc82b7389c2b8525ff960870 
Phones back to: 

musiceng.ru/music/forum/indexl.php - 91.212.127.40, 
A549087 - Email: oi.feodosoff@yandex.ru 

The whole campaign, is a great example of what cybercrime 
underground multitasking is all about. Moreover, 

it illustrates the interactions between the usual suspects, 
with the not so surprising appearance of the already profiled 

[13]AS6851, BKCNET, Sagade Ltd. 



This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 
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ZeuS Crimeware Serving 123Greetings Ecard Themed 
Campaign in the Wild (2010-07-20 23:40) 





























Ubiquitous social engineering schemes, never fade away 
ZeuS crime ware campaigners are currently using a 

123greetings.com ecard-themed campaign, in an attempt to 
entice users to " enjoy their ecard". 

Subject: " You have received an Greeting eCard" 

Message: " Good day You have received an eCard 

To pick up your eCard, choose from any of the following 
options: Click on the following link (or copy & paste it into 
your web browser): matt-levine.com /ecard.exe; 
secondary URL offered: forestarabians.nl/ecard.exe Your 
card will be aviailable for pick-up beginning for the next 30 
days. Please be sure to view your eCard before the days are 
up! 

We hope you enjoy you eCard. Thank You! " 

Detection rate: 

- [ljecard.exe - Cryp _Zbot-12; Trojan/Win32.Vundo - Result: 
9/42 (21.43 %) 

File size: 147968 bytes 

MD5...: e6f3aa226bf9733b 7e8c07cab339f4dc 

5HA1..: e983767931900al3b88a615d6cld3f6ff8fb6b60 

Upon execution, the sample phones back to: 

[ 2 jzephehooqu. ru /bin/koethood. bin - 77.78.240.115, 
A542560 - Email: skit@5mx.ru 

[ 3 jjocudaidie. ru /9xq/ gate.php -118.169.173.218, 
A53462 - Email: skit@5mx.ru - FAST-FLUXED 



Multiple MD5s are also currently active at zephehooqu.ru. 
Detection rates: 

[4Jaimeenei.exe - Win32/Zbot.CJI - Result: 30/42 (71.43 %) 
File size: 149504 bytes 

MD5...: 096b7e8c4f611 f0eb69cfb 776f3a0e7e 
SHA1..: 909d7c2740f84599d5e30ffed7261el9ad4a962a 
[5Jcahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29 %) 

File size: 147968 bytes 

MD5...: 11 f9f96cl 7584a672c2a563744130a46 
SHA1..: f31 c40c5c766c7628023105be6f004e5322bl 7b6 
[6Jkoethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43 %) 
File size: 147968 bytes 

MD5...: da1979227141844be69577f7f31 a7309 

SHA1..: 5ada2c390e63ca051c9582fe723384ce52a45912 

[7Jloobuhai.exe - BKDR QAKBOT.SMB - Result: 33/42 
(78.58 %) 

File size: 147968 bytes 

MD5...: df4el 9af8c356b3ff810bc52f6081 ccc 

SHA1..: d4ald2fl47ae0d24a3eaac66e8d2f9de50cf7a0c 
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[8Joovaenai.exe - Packed. Win32.Katusha.j - Result: 32/42 
(76.2 %) 

File size: 147456 bytes 

MD5...: f0fd5579f06d5b581 b5641546ae91 d52 

5HA1..: c81 fa66c546020f3clc34a0dl aa 191 b2d9578fO7 

[9Jquohthei.exe - Win32/Spy.Zbot.YW - Result: 33/42 (78.58 
%) 

File size: 147968 bytes 

MD5...: ffc0d66024f690e875638f4c33ba86fl 

SHA1..: C958f3426a3e6fedd76b86a5aefl6c90915ac539 

[10Jsofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 
(73.81 %) 

File size: 148992 bytes 

MD5...: 45e98426fafd221 ffb7d55ce8alae531 

SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb 

[llJteemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 
(76.2 %) 

File size: 148992 bytes 

MD5...: 9758f04d2flbd664f37c4285a013372a 

SHA1..: 4273dc48f9aeaf69cb7047c4a882af744 79fb635 


[12Jthaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 
(80.96%) 

File size: 147968 bytes 

MD5...: b667d75f5bb9f23a8ae249f7de4000a5 
SHA1..: 7b57783dcf2aeaafbab3407bb608469851 d342bb 
[13jziejaing.exe - Trojan.Zbot. 610 - Result: 30/42 (71.43 %) 
File size: 147456 bytes 

MD5...: 7592e957de01e53956517097c0e9ccd8 

SHA1..: e7c04d2c8c5d4a51e2615a2ee015d87d28655320 

Related .ru cybercrime-friendly domains, sharing fast-flux 
infrastructure with this campaign's C &C: 

adaichaepo.ru - Email: subtle@maillife.ru 

aroolohnet.ru - Email: brawn@bigmailbox.ru 

dahzunaeye.ru - Email: celia@freenetbox.ru 

esvr3.ru - Email: bender@freenetbox.ru 

hazeipay.ru - Email: owed@bigmailbox.ru 

iesahnaepi.ru - Email: heel@bigmailbox.ru 

iveeteepew.ru - Email: atomic@freenetbox.ru 

jocudaidie.ru - Email: skit@5mx.ru 

ohphahfech.ru - Email: warts@maillife.ru 

railuhocal.ru - Email: celia@freenetbox.ru 



sdlls.ru - Email: vc@bigmailbox.ru 

Name servers of notice within the fast-fiux infrastructure: 

nsl.tophitnews.net - 74.122.197.22 - Email: 
worldchenell@ymail. com 

ns2.tophitnews.net -173.19.142.57 
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nsl.usercool.net - 74.122.197.22 

ns2.usercool.net - 76.22.74.15 

nsl.welcominternet.net - 74.54.82.223 - Email: 
admin@rangermadeira. com 

ns2.welcominternet.net - 74.54.82.223 

nsl.gamezoneland.com -188.40.204.158 - Email: 
xtrail. corp@gmail. com 

ns2.gamezoneiand.com -174.224.63.18 

nsl.tropic-noik.com -188.40.204.158 - Email: 
greysy@gmx. com 

ns2.tropic-nolk.com -171.103.51.158 

nsl.interaktivitysearch.net - 202.60.74.39 - Email: 
ssupercats@yahoo. com 

ns2.interaktivitysearch.net - 202.60.74.39 

nsl.openworldwhite.net - 202.60.74.39 - Email: 
xtrail. corp@gmail. com 

ns2.openworldwhite.net - 43.125.79.23 



nsl.heiphotbest.net - Email: worldchenell@ymail.com 
It gets even more interesting. 

[14Jgreysy@gmx.com has already been profiled in an 

Avalanche botnet campaign using [15]TROYAK-AS's 
services back then ([16] The Avalanche Botnet and the 
TROYAK-AS Connection ), followed by another assessment 

"[17JTorrentReactor.net Serving Crimeware, Client- 
Side Exploits Through a Malicious Ad" where the same 
email was also used to register a name server part of the 
fast-flux infrastructure of the ZeuS crimeware’s C &Cs. 

This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 

1 . 

htto.V/www. virustotal. com/analisis/6fa6220a2ede4f8b700025 

d 7e3c566d5fac0ce0309bb99a3d62c2348fc4b211 d-12 796 

34229 

2. https://zeustracker. abuse, ch/monitor. oho? 
host=zephehooqu. ru 

3. https://zeustracker. abuse, ch/monitor. php? 
host=iocudaidie. ru 

4. 

http://www. virustotal.com/analisis/077ad77f77e4e2987633a 

Oc 78f8a54e664e9ecaacfa3 7128c0631326182c 5 7 If-12 796 

35278 


5 . 















htto: //www. virustotal. com/analisis/652eeb7dfbb26f203e9a46 

481604ea4e44cl bl 2 793313b232bce45a 6a41f2e 78-12 796 

35282 

6 . 

htto://www. virustotal. com/analisis/7537dcl 04a87606ad7c97 

a61c0e2df51ab718ed058975039fa691f9dac528b9c-12796 

35287 

7. 

htto://www. virustotal.com/analisis/4cad09c241308174a674c 

2a48ef25bf062b9344e55b2742a8b2ef3dba2ela4cd-12796 

35293 

8 . 

htto://www. virustotal. com/analisis/54e80ed3761e03e618502 

d6a16722Ibl4f62c26762a63c99514186fc7f499f81-12796 

35298 

9. 

http://www. virustotal.com/analisis/d78516adb99d08970ba67 

d5396f0al927dc6f0eeddlc0eae0412404b076e5234-12796 

35315 

10 . 

htto://www. virustotal. com/analisis/09df053716f8a262332d36 

1 eb590cad8f350ec58a 60b3cffd33e 76c8bc64 7a 3 b-12 796 

35326 




















11 . 

http://www. virustotai com/analisis/cfal 60f6f4d763daf400c03 

dlb994bccca2d26c8c4c8ea5717113d935fe59382-12796 

35329 

12 . 

http://www. virustotai. com/analisis/5f732cf733a052d2bba3a3 

60e 7a 7994bb3ccdd76aa036b5f6777a b 78164d0037-12796 

35336 

13. 

htto://www. virustotai. com/analisis/0da6ba3b7154f9fbbbcb4e 

a0771c63262a5e4e0al5c69de7d9706ece7621b289-12796 

35343 

14. http.V/ddanchev.blo as oot. com/2010/02/irsohotoarchive- 
themed-zeusciien t-side. h tmi 

15. htto://www.zdnet. com/bloa/securitv/trovak-as-the- 
c vbercrime-friendlv-iso-that-iust- wont-ao-a wa v/5761 

16. http.V/ddanchev.blo as oot. com/2010/05/avalanche-botnet- 
and-trovak-as. html 
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17. http.V/ddanchev.blo as oot. com/2010/05/torrentreactornet- 
servina-crimeware. html 

18. http.V/ddanchev.blo as pot.com/ 

19. http://twitter.com/danchodanchev 
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Summarizing Zero Day's Posts for July (2010-08-02 
14:54) 

The following is a brief summary of all of my posts at 

[lJZDNet's Zero Day for July, 2010. You [2 Jean also go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personai RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [6]Does Microsoft's sharing of source code with China and 
Russia pose a security risk? 

• [yjMiddie East countries: the BlackBerry is a national 
security threat 

• [8]Report: Apple had the most vulnerabilities throughout 
2005-2010 

01. [9 JI mage Gallery: June's cyber threat landscape 

02. [lOJThe Pirate Bay hacked through multiple SQL 
injections 

03. [llJDoes Microsoft's sharing of source code with China 
and Russia pose a security risk? 
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04. [12]Report: Apple had the most vulnerabilities 
throughout 2005-2010 

05. [13]Malware Watch: Malicious Amazon themed emails in 
the wild 

06. [14JRSA: Banking trojan uses social network as 
command and control server 

07. [15] Mid die East countries: the BiackBerry is a national 
security threat 

08. [16]image Gallery: Avast! Antivirus office in Prague, 
Czech Republic 

09. [17]image Gallery: Introduction to Avast! Antivirus 
version 5.1 

10. [18]lmage Gallery: The (European) Antivirus market - 
current trends 

11. [19]Google tops comparative review of malicious search 
results 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 

1. httD://bioas.zdnet. com/securit v 

2. htto://ddanchev.blo as oot.com/2010/07/summarizina-zero- 
da vs- posts-for-iune. html 

3. http://ddanchev.blo as pot.com/2010/05/summarizina-zero- 
da vs- oosts-for-ma v.html 














4. http://www.zdnet.com/topics/dancho+danchev? 
o=l&mode=rss&ta a -mantle skin:content 

5. http-.//feeds, feedburner, com/zdnet/securit v 

6. http://www.zdnet.com/bloa/securitv/does-microsofts- 
sharina-of-source-code-with-china-and-russia-pose-a-se 

curitv-risl</6789 

7. http://www.zdnet.com/bloa/securitv/middle-east-countries- 
the-biackberrv-is-a-nationai-securitv-threat/6942 

8. http://www.zdnet.com/bloa/securitv/report-a p ple-had-the- 
most-vulnerabilities-throuahout-2005-2010/6801 

9. http://www.zdnet. com/photos/ima ae- aaller v- iunes-cvber- 
threat-iandscaoe/441675 

10. htte://www.zdnet. com/bloa/securitv/the-oirate-ba v- 
hacked-throuah-multiole-sal-iniections/6776 

11 . 

http://www.zdnet.com/bloa/securitv/does-microsofts-sharin a- 

of-source-code-with-china-and-russi a- pose-a- 

securitv-risk/6789 

12. http://www.zdnet.com/bloa/securitv/report-a p ple-had-the- 
most-vulnerabilities-throuahout-2005-2010/6801 

13. http://www.zdnet.com/bloa/securitv/malware-watch- 
malicious-amazon-themed-emails-in-the-wild/6863 

14. htte://www.zdnet. com/bloa/securitv/rsa-bankina-tro ian- 
uses-social-network-as-command-and-control-server/6 
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15. htto.V/www. zdnet. com/bloa/securitv/middle-east- 
coun tries- the-bia ckberrv-is-a-national-securitv-threa t/694 

2 

16. htto.V/www.zdnet.com/photos/ima ae- aallerv-avast- 
a n ti virus-office-m-oraaue-czech-reoubiic/450633 

17. http://www.zdnet.com/photos/ima ae- aallerv-introduction- 
to-avast-antivirus-version-51/450981 

18. http://www.zdnet.com/photos/ima ae- aallerv-the- 
eurooean-antivirus-market-current-trends/451006 

19. htto://www. zdnet. com/bloa/securit v/aoo ale-toos- 
comoarative-review-of-malicious-search-resu Its/7009 

20. http.V/ddanchev.blo as eot.com/ 

21. htto://twitter.com/danchodanchev 
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Spamvertised Best Buy, Macy's, Evite and Target 
Themed Scareware/Exploits Serving Campaign 

(2010-08-09 14:19) 

They are back again ([IJSpamvertised Amazon "Verify 
Your Email", "Your Amazon Order" Malicious Emails; 

[2]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign ) for a fresh start of the 
week, with a currently ongoing spam campaign, serving 
scareware and client-side exploits, using a " Thank you for 



































your payment"/" Thank you for your EXPRESS payment" 
themed subjects impersonating popular brands such as Best 
Buy; Macy's, Target and Evite. 

Let's dissect the campaign, its structure, emphasize on the 
monetization strategy, and expose the complete 

portfolio of the domains involved in the campaign. 

Sample email: 

" Subject :Thank you for your payment Don't miss a thing - 
Add support@e.macys.com to your email address book! 

Click here if you are unable to see images in this email. 

1. Sign in on macys.com at 

https ://www. macys. com/myinfo/index. ognc 

2. Click on "My Account" - "My Profile" at 

https ://www. macys. com/myinfo/profile/index. ognc 

3. Uncheck the box Receive email notification when 
statements are available to view online and when payments 
are due. 

4. Click on "Update Profile" 

5. Expect the change to take place in 3 days 

©2009 macys.com Inc., 685 Market Street, Suite 800, San 
Francisco, CA 94105. AH rights reserved. " 

Compared to previous campaigns, the directory structure 
(fast fluxed :8080/index.php?pid=10; maliciousurl.ru 

/QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; 

Access.js; End User.js etc. ) of this one remains virtually 



the same, depending, of course, on the angle you choose for 
dissecting it. 
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Sample campaign structure: 

- musicsgeneva.com /x.html - " PLEASE WAITING 4 
SECOND... " 

- opus22.org /x.html - " PLEASE WAITING 4 SECOND... " 

- shamelessfreegift.com /x.html - " PLEASE WAITING 4 
SECOND... " 

- physicianschoiceoniine.com /x.htm - " PLEASE WAITING 
4 SECOND... " 

- baymediagroup ,com:8080/index.php?pid=10 - client- 
side exploits -188.165.95.133; 

188.165.192.106; 

91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: 
fb@bigmailbox. ru 

- hoopdotami.cz .cc/scanner5/?afid=24 -188.72.192.229 

- scareware monetization 

- Detection rate: 

antivirus _24.exe - [3]Trojan. Win32. FraudPack.berq - 
Result: 16/42 (38.1 %) 

File size: 166912 bytes 

MD5. ..: b3cd297c654d3be52ffeb5f6a5ffl3b4 


SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5 
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Upon execution, the sample phones back to: 

httpsstarss.in /httpss/v=40 &step=2 &hostid= - 

188.72.226.154 - Email: stevieksbaiz@hotmaii.com 

httpstatsconfig.com /getfile.php?r= - 204.12.226.173 - 
Email: httpstatsconfig.com@evoprivacy.com 

Responding to 204.12.226.173 are also: 

nsl.desktopsecurity2010itd.com - Email: 
sixtakidlt2@hotmail. com 

ns2. desktopsecurity201 Oltd. com 

www. desktopsecurity201 Oitd. com 

httpstatsconfig.com 

nsl .http sta tsconfig. com 

ns2. h ttpsta tscon fig. com 

desktopsecuritycorp. com 

nsl. desktopsecuritycorp. com 

ns2. desktopsecuritycorp. com 

Domains using the same name server, nsl. freedomen.info 
- 209.85.99.32 - Email: mail@vetaxa.com 

adsoniineinc.com - 66.96.239.86 


picmonde.com - 94.228.220.93 

bonblogger.com - 94.228.220.93 

h2fastpornpics.com - 94.228.220.93 

celebsfinectpics.com - 94.228.209.133 - Email: 
temp. for. loan@gmail. com 

ceiebsfreeimages.com - 94.228.209.134 - Email: 
hannigey233@hotmaii. com 

picindividuals.com - 94.228.220.93 
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picbloggerprojet.com - 94.228.220.93 
httpsstarss. in 

hippocounter.info - 96.9.177.21 

genesisbeta.net - 94.228.220.94 

Name servers of notice: 

nsl.getyourdns.com - 194.79.88.121 

ns2.getyourdns.com - 77.68.52.52 

ns3.getyourdns.com - 87.98.149.171 

ns4.getyourdns.com - 66.185.162.248 

nsl.instantdnsserver.com - 194.79.88.121 - Email: 
depot@infotorrent. ru 


ns2.instantdnsserver.com - 77.68.52.52 


ns3.instantdnsserver.com -87.98.149.171 
ns4.instantdnsserver.com - 66.185.162.248 
1495 

Client-side exploits serving domains part of the campaign: 
aquaticwrap.ru - Email: vibes@freenetbox.ru 
aroundpiano.ru - Email: vibes@freenetbox.ru 
baybear.ru - Email: vibes@freenetbox.ru 
baymediagroup.com - Email: fb@bigmaiibox.ru 
bayjail.ru - Email: bushy@bigmailbox.ru 
betaguy.ru - Email: vibes@freenetbox.ru 
biockoctopus.ru - Email: semi@freenetbox.ru 
budgetdude.ru - Email: totem@freenetbox.ru 
chaoticice.ru - Email: vibes@freenetbox.ru 
clannut.ru - Email: totem@freenetbox.ru 
clockledge.ru - Email: totem@freenetbox.ru 
coldboy.ru - Email: totem@freenetbox.ru 
countryme.ru - Email: totem@freenetbox.ru 
dayemail.ru - Email: totem@freenetbox.ru 
diseasednoodie.ru - Email: vibes@freenetbox.ru 



discountprowatch.com - Email: bike@fastermail.ru 
dyehill.ru - Email: angles@fastermail.ru 
easychurch.ru - Email: vibes@freenetbox.ru 
economypoet.ru - Email: semi@freenetbox.ru 
envirodoiiars.ru - Email: vibes@freenetbox.ru 
forhomessaie.ru - Email: dull@freemailbox.ru 
galacticstall.ru - Email: vibes@freenetbox.ru 
getyourdns.com - Email: fb@bigmailbox.ru 
hairyartist.ru - Email: vibes@freenetbox.ru 
lonelyzero.ru - Email: vibes@freenetbox.ru 
lovingmug.ru - Email: vibes@freenetbox.ru 
lowermatch.ru - Email: vibes@freenetbox.ru 
iuckyfan.ru - Email: vibes@freenetbox.ru 
malepad.ru - Email: semi@freenetbox.ru 
matchsearch.ru - Email: semi@freenetbox.ru 
microlightning.ru - Email: vibes@freenetbox.ru 
mindbat.ru - Email: semi@freenetbox.ru 
mealpoets.ru - Email: totem@freenetbox.ru 
nutcountry.ru - Email: dying@qx8.ru 
obscurewax.ru - Email: vibes@freenetbox.ru 



oceanobject.ru - Email: semi@freenetbox.ru 
parkperson.ru - Email: semi@freenetbox.ru 
penarea.ru - Email: dying@qx8.ru 
ponybug.ru - Email: dying@qx8.ru 
pocketbloke.ru - Email: angles@fastermail.ru 
programability.ru - Email: dying@qx8.ru 
rancideye.ru - Email: vibes@freenetbox.ru 
rawscent.ru - Email: vibes@freenetbox.ru 
recordsquare.ru - Email: totem@freenetbox.ru 
rescuedtoilet.ru - Email: vibes@freenetbox.ru 
riotassistance.ru - Email: angles@fastermail.ru 
scarletpole.ru - Email: vibes@freenetbox.ru 
secondgain.ru - Email: vibes@freenetbox.ru 
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shortrib.ru - Email: vibes@freenetbox.ru 
slaveperfume.ru - Email: totem@freenetbox.ru 
sodaceiis.ru - Email: dying@qx8.ru 
smelldrip.ru - Email: totem@freenetbox.ru 
starvingarctic.ru - Email: vibes@freenetbox.ru 
stagepause.ru - Email: totem@freenetbox.ru 



sweatymilk.ru - Email: vibes@freenetbox.ru 

tartonion.ru - Email: vibes@freenetbox.ru 

tunemug.ru - Email: tips@freenetbox.ru 

wearyratio.ru - Email: vibes@freenetbox.ru 

yummyeyes.ru - Email: vibes@freenetbox.ru 

UPDATED: Thursday , August 12, 2010: Historical OSINT 
for client-side exploit serving domains part of Gumblar's 
campaigns for April/May 2010 using hostdnssite.com 
(Email: cop@qx8.ru) name server: 

bestdarkman.info - Email: wwww@qx8.ru 

bestwebclub.info - Email: asleep@5mx.ru 

buy foot joy. info - Email: mellow@5mx.ru 

carswebnet.info - Email: mynah@freenetbox.ru 

city realtimes.info - Email: asleep@5mx.ru 

clandarkguide.info - Email: mellow@5mx.ru 

clandarksky.info - Email: wwww@qx8.ru 

darkangelcam.info - Email: mellow@5mx.ru 

darkbluecoast.info - Email: wwww@qx8.ru 

darksidenetwork.info - Email: mellow@5mx.ru 

digitaljoyworld.info - Email: mellow@5mx.ru 

eroomsite.info - Email: feint@qx8.ru 



esunsite.info - Email: wwww@qx8.ru 
extrafreeweb. info - Email: mynah@freenetbox.ru 
feedandstream.info - Email: mynah@freenetbox.ru 
gloomyblack.info - Email: wwww@qx8.ru 
homesweetrv.info - Email: mynah@freenetbox.ru 
indiawebnet.info - Email: mynah@freenetbox.ru 
joylifein.info - Email: mellow@5mx.ru 
joysportsworld.info - Email: mellow@5mx.ru 
justroomate.info - Email: feint@qx8.ru 
ken joy world, info - Email: mellow@5mx.ru 
learn webguide. info - Email: mynah@freenetbox.ru 
luxurygenuine.info - Email: asleep@5mx.ru 
myfeedsite.info - Email: feint@qx8.ru 
newsuntour.info - Email: wwww@qx8.ru 
oneroomhome.info - Email: feint@qx8.ru 
realshoponline.info - Email: asleep@5mx.ru 
redsunpark.info - Email: feint@qx8.ru 
roomstoretexas.info - Email: feint@qx8.ru 
suncoastatlas.info - Email: feint@qx8.ru 
sunstarvideo.info - Email: feint@qx8.ru 



supersunbeds.info - Email: feint@qx8.ru 
superwebworld.info - Email: asleep@5mx.ru 
sweetpeapots.info - Email: mynah@freenetbox.ru 
sweetteenzone.info - Email: mynah@freenetbox.ru 
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thedarkwaters.info - Email: wwww@qx8.ru 
thejoydiet.info - Email: mellow@5mx.ru 
therealclamp.info - Email: drum@maillife.ru 
thesunchaser.info - Email: wwww@qx8.ru 
thesweetchiid.info - Email: mynah@freenetbox.ru 
theuitimateweb.info - Email: asieep@5mx.ru 
theyellowsun.info - Email: feint@qx8.ru 
webguidetv.info - Email: asleep@5mx.ru 
webnetengiish.info - Email: mynah@freenetbox.ru 
yourprintroom.info - Email: feint@qx8.ru 
yoursweetteen.info - Email: mynah@freenetbox.ru 
UPDATED: Friday August 13, 2010: 

The use of Yahoo Groups is still ongoing. Sample URL: 

groups.yahoo .com/group/nfidcsyi/message which 
includes a link to perfectpillcool ,com:8080. 


The campaign is ongoing, updates will be posted as soon as 
new developments emerge. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5Jon Twitter. 
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1. htto://ddanchev.blo as oot.com/2010/07/soamvertised- 
amazon-verif v- vou-email.html 

2. http://ddanchev.blo as pot.com/2010/07/dissectina-xerox- 
workcentre-oro-scanned.html 

3. 

htto://www. virustotal.com/analisis/912608f55fba98cb03al31 

14ceea4a503d0fd4cc6ca5bab345 792b5 77884311 f-12813 

45777 

4. htto://ddanchev.bio as oot.com/ 

5. htto://twitter.com/danchodanchev 

1499 


£ 


Dissecting a Scareware-Serving Black Hat SEO 
Campaign Using Compromised .NL/.CH Sites 

(2010-08-13 17:09) 

Over the past week, I've been tracking - among the 
countless number of campaigns currently in process of 
getting profiled/taken care of internally - a blackhat SEO 
campaign that's persistently compromising legitimate sites 


















within small ISPs in the Netherlands and Switzerland, for 
scareware-serving purposes. 

Although this beneath the radar targeting approach is 
nothing new, it once again emphasizes on a well proven 

mentality within the cybercrime ecosystem - collectively the 
hundreds of thousands of low profile sites, if well poisoned 
with bogus/timely/relevant blackhat SEO content, can 
outpace the hijacked traffic from a high profile site due to the 
shorter time frame it would take for the the administrators to 
clean it up/ quicker community members' 

reaction based on prioritization due to the importance of the 
site. 

What's particularly interesting about the campaign, is the 
fact that the redirectors/scareware domains were 

previously parked within our "dear friends at AS31252, 
STARNET-AS StarNet Moldova. Go through related posts 
on STARNET-AS StarNet Moldova: 

• [lJKoobface Redirectors and Sea re ware Campaigns 
Now Hosted in Moldova 

• [2]Dissecting Koobface Gang's Latest Face book 
Spreading Campaign 
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• [3]Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

• [4] From the Koobface Gang with Scareware Serving 
Compromised Sites 


Let's dissect the campaign, expose the complete portfolio of 
sea re ware/redirector domains, emphasize on the 

monetization vector and how this blackhat SEO campaign is 
using the same scareware affiliate network like the one 
campaigns launched through Gumblar's infrastructure 

([5]Spamvertised Best Buy, Macy's, Evite and Target 
Themed Scareware/Exploits Serving Campaign) 

continue using. 

Once the seif.location.href = condition is met, the 
following redirectors take place, until the user is exposed to 
the ubiquitous "You're infected" screen: 

- dotyuzcifi.ru/iiq/?st= - 200.63.44.211 - Email: 

kiree v@ra vermaii. com (NS: nsl. freemobiledns. mobi Email: 
akornl 022@gmaii. com) 

- errgxhxzerr.co.cc/r/feed.php?k= - 200.63.44.211, 
AS27716, ASEVELOZ - Email: andrew_bush52@hotmail.com 

- errgxhxzerr.co.cc/tube/?k= 

- errgxhxzerr.co.cc/r/sss.php 

- www4.protection-guard89.co.cc - 74.118.193.81, 
AS46664 - Email: abc.emm@gmaii.com 

- wwwl.virus-detection50.co.cc/?p=p52 - 

94.228.220.117, AS47869, NETROUTiNG-AS - Email: 
a be. emm@gmail. com 

- Detection rate: 

packupdate9 _289.exe - 

[6]Win32/TrojanDownioader.FakeAlert.AEY - 6/ 42 (14.3 



MD5 : 3e4920aa3ff24db64372ae96854f3f02 


SHA1 : 75bcb6acf5ff65269bfc5f685e5d03688b8blade 

SHA256: 

72 72f889520cdl dl 898ccd91 fl bOl 835cf53f06b452041baae 
0336796ff09fd7 

Responding to 94.228.220.117, AS47869, NETROUTING-AS 
are also the following domains: 

wwwl.virus-detection50.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection51.co.cc/?p=p52 - Email: 
a be. emm@gmaU. com 

wwwl.virus-detection52.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection53.co.cc/?p=p52 - Email: 
a be. emm@gmaU. com 

wwwl.virus-detection54.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection55.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection56.co.cc/?p=p52 - Email: 
a be. emm@gmaU. com 

wwwl.virus-detection57.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 



wwwl.virus-detection58.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection59.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

www2.mypersonalshield70.in - Email: 
gkook@checkjemail. nl 

www2.mypersonaishieid71.in - Email: 
gkook@checkjemail. nl 
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www2.mypersonaishieid72.in - Email: 
gkook@checkjemail. nl 

It gets even more interesting, and cybercrime ecosystem- 
friendly, when we see that one of the scareware redirector 
domains, has been registered with the same email as the 
scareware domain redirector used in the monetization 

vector of Gumblar's campaigns. 

The currently used uramozat.cz.ee /scannerl0/?afid=76 - 

195.16.88.62, AS50109, HOSTLIFE-AS WIBO PROJECT 

LLC - Email: ydeconspi@nice-4u.com is registered using the 
same email as the recently used hoopdotami.cz 

.cc/scanner5/?afid=24 -188.72.192.229 - Email: 
ydeconspi@nice-4u.com from the "[7]Spamvertised Best 
Buy, Macy's, Evite and Target Themed 
Scareware/Exploits Serving Campaign". 


This centralization of monetization networks ultimately 
serves best the security industry and law enforcement, 

and remains a trend rather than a fad. 

Responding to 195.16.88.62 are also the following affiliate 
redirector domains: 

sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com 
suppcorfoke.cz.ee - Email: ydeconspi@nice-4u.com 
swinumlobzua.ez.ee - Email: ydeconspi@nice-4u.com 
taitretarjus.ez.ee - Email: ydeconspi@nice-4u.com 
talinighge.ez.ee - Email: ydeconspi@nice-4u.com 
tangmomawigg.ez.ee - Email: ydeconspi@nice-4u.com 
taniverwea.ez.ee - Email: ydeconspi@nice-4u.com 
tedroidragin.ez.ee - Email: ydeconspi@nice-4u.com 
tifucacel.cz.ee - Email: ydeconspi@nice-4u.com 
ungelacoc.cz.ee - Email: ydeconspi@nice-4u.com 
unriprazzhalf.ez.ee - Email: ydeconspi@nice-4u.com 
uramozat.ez.ee - Email: ydeconspi@nice-4u.com 
vochicorneu.cz.ee - Email: ydeconspi@nice-4u.com 
voihuavino.ez.ee - Email: ydeconspi@nice-4u.com 
voldcafuri.cz.ee - Email: ydeconspi@nice-4u.com 
weineitronty.ez.ee - Email: ydeconspi@nice-4u.com 



wintotersstal.cz.cc - Email: ydeconspi@nice-4u.com 

worddreameipa.cz.ee - Email: ydeconspi@nice-4u.com 

wordrochosom.cz.ee - Email: ydeconspi@nice-4u.com 

xboxunechin.cz.ee - Email: ydeconspi@nice-4u.com 

ydeconspi.cz.ee - Email: ydeconspi@nice-4u.com 

zilrebelma.cz.ee - Email: ydeconspi@nice-4u.com 

zukavito.ez.ee - Email: ydeconspi@nice-4u.com 

• [ 8 ] Complete list of URLs for the compromised Dutch 
sites (NOW CLEAN) hosted at A56461, MFNX MFN - 
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Metromedia Fiber Network 

Complete list of the URLs for compromised sites (CURRENTLY 
ACTIVE) hosted at A515547, TV52NET-NETPLU5 

Servicing cable-network customer in CH. 

abitasion.ch /illucpUWAeima 
abitasion.ch /HOeUSbRtm/ 
abmontage.ch /73NJub8iWea/ 
absteam.ch /UfHZI8Qm7/ 
accueiletpartagesuisse. eh /Wb VcOfiHlabe/ 
accueiletpartagesuisse.eh /Wbytpauohcjk/ 
adikt-a.ch /isisAuMOlmXW/ 



adikt-a.ch /is / WcgUV7L/ 
adsite.ch /lAULixdSoWmA/ 
adumas.ch /QVxaomZ7er 
aemo-valais.ch /ualagow/ 
aerobic-chablais. ch /IYMy3IAejmiq/ 
aerobic-chablais. ch /IYuM W8yHJ/ 
a-fauchere.ch /rU8alutON/ 
agpinstallations. ch /WAoxnHauvyUi7 
agpinstallations.ch /WA wANoXv9rek/ 
alayra.ch /ufgMxORjbNz9i/ 
alex-xxxl.ch /u9VUyo9hw/ 
alpirama. ch /A 0Sc3lu/ 
alterfamiliae.ch /RgauIMVZ/ 
ametys.ch /IZ2eblxoL3tSN/ 
ametys.ch /IZbAaYy/ 

amis-orgue-moudon. ch /WulatdWMbRSg/ 
amis-orgue-moudon.ch /WuYUoH3/ 
apf-hev-fr.ch /drkoUqjx/ 
artdidier. ch /vZkR 7ap2gQiAU/ 
artefax.ch Zu8oApWua/ 



artefax.ch /u8qrYoi8ASh/ 
artisanatbramoisien.ch ZjRVAEWyXqLsM/ 
artisane.ch /Scg3IEv/ 
artisan-fondeur.ch /RX0y9OdUu/ 
artist-e.ch /j8WfHEa/ 
asb-coaching.ch /uJWOldHeuai/ 
a telier-bois. ch /skjun0elUgM8/ 
ateliercube.ch /3bqNHnLy/ 
attoufoula-al-baria.ch /scWZHiblemAqr/ 
autoecole-sion.ch /ku WcUM3yn9xgo/ 
a ux-doigts-de-fee. ch /eoo VapJN WcuHx/ 
auxpetitsbois. ch /80xlao Weydbc7/ 
avgf.ch /xr3t0uvanegb/ 
avmep.ch /niyW3RHiaoE/ 
avmep.ch /nizXOdumW/ 
avosbagages.ch /ebaAuynxel2L/ 
a vta. ch /ZuO VoixA/ 
banques-assurances. ch /WEeyt7iUYL/ 
ba tibois. ch /hgA ba vx/ 
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batibois.ch /hghky(JN09/ 
bconseils.ch /tAIUzJVn/ 
bc-production.ch /9XupRmlbE/ 
bdelfolie. ch /ushj20mij W9 wu/ 
bdelfolie.ch /usIUomaYfWeN/ 
bee oval, ch /a VUq W9xYbp/ 
bedat-conseils.ch /AUyYRtuh WrpA/ 
be I fid. ch /ftRbtgl3/ 
bellodelledonne.ch /oXOkUuN/ 
bellodelledonne.ch /oXoNgekf7i'/ 
bestwear.ch /j0iyeJ3v/ 
bienecrire.ch /YAE9ldiakvy/ 
biocave.ch /AuhuwoAUxOI3W/ 
birman. ch /Z7Moe VXgAafL/ 
blanchival.ch /.ANabQIgkOzeO/ 
blanchival.ch /ANJjiQgHb/ 
bnbmorel.ch ZyfE3AyWoQx8/ 
bonnes-occases.ch /HlYMhcE/ 
bouquins.ch /IWHOdAa/ 
cafepsy.ch /ZoiAcIWIRM/ 



calzolarorocco.ch /9a8aYRjlrW/ 
camping-sedunum.ch /SvvMQjsem/ 
canadulce.ch /wullMriaN/ 
canadulce.ch /wuQYryJ/ 
carrgeiger. ch /ehs Vy2uXxoA WE/ 
carte-menu.ch /JQinNyA/ 
castalie.ch /cq3xeyWmjaf/ 
catherineritter. ch /A dUJiRq/ 
catherineritter.ch /AdUqRAiSnNsyv/ 
ca vedegoubing. ch /ERNzcu9iagdo/ 
cave-des-chevalieres.ch /WuunyOq/ 
celinerenaud.ch /Qj7dHcLo/ 
celinerenaud.ch /QjZoUyaJ/ 
centre-autos.ch /INUYRuWnA/ 
cere-sa.ch /lyEHdVqAlYbXL/ 
cere-sa.ch /lykn WJr/ 
cgt.ch AegAaVUfne/ 
chalets-for-sale.ch /SaNXWcvU/ 
chavaz-archi.ch /8iAZxEaJ/ 
chavaz-archi.ch /8iQOjlS/ 



cretillons.ch /ianeZc2/ 


Responding to 200.63.44.211 (the original [9]redirector 
domains dotyuzcifl.ru; errgxhxzerr.co.cc), AS27716, 
ASEVELOZ Eveioz are the remaining domains part of the 
sea re wa re/redirecti on/Fake Adobe Player (tube/Adobe _ 

Flash _ _Player.exe) campaign. 

- Detection rate: 

Adobe _ Flash _ _Player.exe - 

[lOJHeuristic.BehavesLike. Win32.Suspicious.H -11/42 (26.2 
%) 

MD5 : 8al0909c487a739e85028al9ale898dc 

SHA1 : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7 
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SHA256: 

63befe 78a 7895a8efc6d893491 d8f77ef8adalcd52d5625874 
90a 79f29b65336 

- Upon execution phones back to: 

qualattice.com - 64.20.63.58 - Email: 
trough@mobiletonight. com 

jaxcage.net - 91.188.60.233, [11JAS6851, BKCNET "SIA " 

IZZI - Email: delee@easteroffers.com mybubblebean.com 

- 85.234.190.47, [12JAS6851, BKCNET "SIA" IZZI - Email: 
place@popupquote.com freejaxbird.net - 77.78.239.42 - 
Email: delee@easteroffers.com 

07tqqwem.ru - Email: pishkov@rbcmail.ru 



0qhe7y6o.ru - Email: pishkov@rbcmail.ru 
0st44x7z.ru - Email: stroganov@maii.ru 
0w6scx6a.ru - Email: goncharov@rapworld.com 
20xzpzga.ru - Email: danilov@boatnerd.com 
23qjmdic.ru - Email: lebedev@rapworld.com 
28iue5ri.ru - Email: kireev@bgay.com 
28jnbuak.ru - Email: kirillov@ravermail.com 
2poaxz3k.ru - Email: alekseev@land.ru 
2tmo2ba2.ru - Email: kustov@remixer.com 
30zcz8ot.ru - Email: slabkov@bigmailbox.net 
32iafdnp.ru - Email: erohin@intimatefire.com 
3a0stbqe.ru - Email: golodnikov@blida.info 
3jruf6nc.ru - Email: taranov@inorbit.com 
40ktc2tn.ru - Email: antonov@insurer.com 
4hp2ag6c.ru - Email: belov@kidrock.com 
4mausx2w.ru - Email: lavrov@blackcity.net 
4y8pqcby.ru - Email: pokatilov@realtyagent.com 
5eqq3sgj.ru - Email: abakumov@smtp.ru 
5gsco2w5.ru - Email: davidov@bikermail.com 
5q4eyd2w.ru - Email: stepanov@pop3.ru 



5znhff2s.ru - Email: kalinin@boarderzone.com 
6ojj8sks.ru - Email: patralov@bigheavyworld.com 
6pgsqndh.ru - Email: baklanov@mail333.com 
83qndvnj.ru - Email: taranov@relapsecult.com 
868r5e0b.ru - Email: udalov@rastamall.com 
8n7pnyyr.ru - Email: patralov@front.ru 
8reclame.ru - Email: kirikov@billssite.com 
atyyyopg.ru - Email: viktorov@bikerheaven.net 
azaamdwo.ru - Email: samsonov@bikermail.com 
bvo62o0i.ru - Email: kirillov@rastamall.com 
c28xd2ck.ru - Email: luzgin@front.ru 
cf8sagkn.ru - Email: alekseev@ratedx.net 
ckmdbrio.ru - Email: ulyanov@rapworld.com 
crosslinks-services.ru - Email: ekomasov@kidrock.com 
csokolom.ru - Email: kirikov@irow.com 
cw5k47ye.ru - Email: viktorov@bicycling.com 
duz5n2ca.ru - Email: beiov@bilissite.com 
dwunvuum.ru - Email: stepanov@pop3.ru 
ea7xh4vw.ru - Email: goncharov@repairman.com 
err39hxzerr.co.cc - Email: an drew _bush52@hotmail.com 



err3ghxzerr.co.cc - Email: andrew_bush52@hotmail.com 
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err5phxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err61hxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err6ehxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err6jhxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err8jhxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err8whxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errb9hxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errbehxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errbqhxzerr.co.ee - Email: andrew_bush52@hotmail.com 
errcihxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errdhhxzerr.co.ee - Email: andrew_bush52@hotmail.com 
errekhxzerr.co.ee - Email: andrew_bush52@hotmail.com 
errfdhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgqhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgthxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errguhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgvhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
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f50rbdb8.ru - Email: samsonov@kidrock.com 
fbbktj2z.ru - Email: zhukov@kidrock.com 
fimpvs8t.ru - Email: zhuravlev@blackvault.com 
fppf2H28.ru - Email: danilov@pochta.ru 
gayq8rgx.ru - Email: kovalev@blackcity.net 
gea vdwal. info 
gerotal.info 

gztyue8w.ru - Email: kirillov@boatnerd.com 
H6poe6or.ru - Email: beglov@inorbit.com 
hc6zxms4.ru - Email: lebedev@intimatefire.com 
Hem3oxjh.ru - Email: ulyanov@boarderzone.com 
hszwwvjq.ru - Email: kustov@fromru.com 
i2wv8rdm.ru - Email: shedrin@bilissite.com 
i4nhjopf.ru - Email: antonov@fromru.com 
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i7in0b64.ru - Email: ulyanov@kinkyemail.com 
ihbkbzcm.ru - Email: abdulov@iname.com 
io0yfyc8.ru - Email: molchanov@repairman.com 
j6yeky7p.ru - Email: bazhenov@krovatka.su 


j7k6xze2.ru - Email: vasilev@pop3.ru 
jimm2rusru.ru - Email: kustov@rapworid.com 
jimm4fan09.ru - Email: antonov@biida.info 
jimmjimm895.ru - Email: kuznecov@insurer.com 
jimmkolesoru.ru - Email: naumov@boarderzone.com 
jimmonlineO.ru - Email: miheev@gmail.com 
jimmplum2.ru - Email: vishnevskiy@pop3.ru 
jimmthebestl.ru - Email: aleksandrov@blackcity.net 
jnano5gh.ru - Email: zhukov@realtyagent.com 
jokerjokk.ru - Email: beglov@blida.info 
kefpvbsi.ru - Email: kalinin@boarderzone.com 
kfgemaae.ru - Email: ulyanov@bigmailbox.net 
koliander.ru - Email: zaicev@insurer.com 
liononlinensd.ru - Email: nikitin@rastamall.com 
lokipol.ru - Email: kirikov@bikerheaven.net 
mjbims7m.ru - Email: pishkov@ravermail.com 
mrtOzqcb.ru - Email: shedrin@pochtamt.ru 
mxek5t5g.ru - Email: beglov@repairman.com 
nesselandeportal. info 
ni2m4kua.ru - Email: zhukov@bikermail.com 



nv8os6yt.ru - Email: kuznecov@mail.ru 
o3wg4sya.ru - Email: abakumov@bolbox.com 
ocggnaif.ru - Email: zaicev@iname.com 
ofz5qzgu.ru - Email: zaicev@ravermail.com 
oh7iumr7.ru - Email: belov@inorbit.com 
onlinefeeds.ru - Email: beglov@insurer.com 
onlinegearsd.ru - Email: luzgin@smtp.ru 
onlinejimmmovse.ru - Email: abakumov@realtyagent.com 
onlineonlkiok.ru - Email: kirillov@billssite.com 
pgvvua6j.ru - Email: goncharov@bicycling.com 
pororkol.ru - Email: erohin@bikerider.com 
prc6t7z3.ru - Email: kirikov@pochtamt.ru 
psxdvOnr.ru - Email: zhukov@inbox.ru 
pvbsiy5y.ru - Email: komarov@kinkyemail.com 
q3ysg05s.ru - Email: golodnikov@insurer.com 
qbecqeOs.ru - Email: ulyanov@bicycling.com 
qec5beqn.ru - Email: morozov@pochta.ru 
qfnye2t7.ru - Email: bednyakov@irow.com 
qpsxdvOn.ru - Email: viktorov@blackcity.net 
rikosdhu.ru - Email: pokatilov@pisem.net 



ronaldknol.ru - Email: taranov@smtp.ru 
rs3gpd0m.ru - Email: alekseev@bicycledata.com 
rudjimmdjimm.ru - Email: alekseev@boarderzone.com 
s4gvhd35.ru - Email: lebedev@blackvault.com 
s748eop4.ru - Email: aleksandrov@repairman.com 
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sgivnnOt.ru - Email: volkov@repairman.com 
stpf6qpv.ru - Email: bednyakov@relapsecult.com 
sv4wmtxj.ru - Email: ivanov@bikerider.com 
t0a2afyq.ru - Email: ivanov@boatnerd.com 
t3tzynvj.ru - Email: bazhenov@rapstar.com 
trustincompanies.ru - Email: abdulov@insurer.com 
u5fyfzjt.ru - Email: polovov@rbcmail.ru 
ucf47vnu.ru - Email: abdulov@bikerider.com 
uplcash.com - Email: director@climbing-games.com 
v5w3xgzn.ru - Email: morozov@rbcmail.ru 
vgksry7k.ru - Email: vishnevskiy@land.ru 
w8iroomb.ru - Email: golodnikov@pop3.ru 
x7p03g0j.ru - Email: kirikov@front.ru 
xni27ftd.ru - Email: timofeev@mail.ru 



xsd3id8t.ru - Email: kovalev@pochta.ru 
xthjrgxz.ru - Email: pokatiiov@insurer.com 
xu44i03y.ru - Email: arhipov@insurer.com 
yiOewtmd.ru - Email: antonov@blackvault.com 
yp7o07nq.ru - Email: golodnikov@rbcmail.ru 
z26hggcb.ru - Email: pokatilov@fromru.com 
z656cvje.ru - Email: slabkov@boatnerd.com 
zsrd4xj5.ru - Email: kuznecov@iname.com 
zznks8fh.ru - Email: bulaev@registerednurses.com 
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Could we have a blackhat SEO campaign, without a Koobface 
gang connection? Appreciate my rhetoric. Parked at 

200.63.44.48, again within AS27716, ASEVELOZ Eveloz are 
the following domains: 

35l3cv2oywwycrfzlyo3.com - Email: 
michaeltycoon@gmail. com 

4idmcxlczdy52yh7rklb.com - Email: 
michaeltycoon@gmail. com 

56ml7zj047l0x6wm9v6y.com - Email: 
michaeltycoon@gmail. com 

8vsgzuu084e9i8ohl5nn.com - Email: 
michaeltycoon@gmail. com 


aatyamlkpgxp8h3ml7ky.com - Email: 
michaeitycoon@gmaii. com 

bvzpvunifooe8t946d2p.com - Email: 
michaeitycoon@gmaii. com 

i905jzsht33cd4kfcqvh.com - Email: 
michaeitycoon@gmaii. com 

jhn72w76khysuxdgj0bo.com - Email: 
michaeitycoon@gmaii. com 

k78ju8lyzratna0c5r7m.com - Email: 
michaeitycoon@gmaii. com 

Irbx4hzznbdmedfk4xrd.com - Email: 
michaeitycoon@gmaii. com 

Isleepnzj784nid96prn.com - Email: 
michaeitycoon@gmaii. com 

n0itv7fh7qscrfse3ili.com - Email: 
michaeitycoon@gmaii. com 
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pdusxsiuedamjc83qipi.com - Email: 
michaeitycoon@gmaii. com 

rabotaetpolubomu.net - Email: michaeitycoon@gmaii.com 

t0vqred4itv4pmo488k9.com - Email: 
michaeitycoon@gmaii. com 

thmyb0s6se5febs0ghb8.com - Email: 
michaeitycoon@gmaii. com 



u5a05qldnmr4jwqrnav3.com - Email: 
michae\tycoon@gmail. com 

uqlwedg9tr523wbafdzp.com - Email: 
michaeltycoon@gmail. com 

vk4j2x7n49nqlH9vm5h.com - Email: 
michaeltycoon@gmail. com 

ysut5gx094w2dddjtswh.com - Email: 
michaeltycoon@gmail. com 

Deja vu! Where do we know the 

michaeltycoon@gmail.com email from? From the "[13] A 
Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang" campaign, 
and in particular from the fact that it was once directly 
connected to the Koobface gang - this is not an email that 
was used to register a domain belonging to the sea re ware 
affiliate network, instead it's an email used to register a 
client-side exploits serving domain parked on the same IP 
where a hardcore Koobface C &C from Koobface 1.0's 
infrastructure was responding to - urodinam.net 

• [14]Dissecting the Mass DreamHost Sites 
Compromise - " Moreover, on the exact same IP where 
Koobface gang's urodinam.net is parked, we also have the 
currently active Izabslwvn538n4i5tcjl.com - Email: 
michaeltycoon@gmail.com, serving client side exploits using 
the Yes Malware Exploitation kit - 91.188.59.10 

/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com /temp/admin/index.php " 

Blackhat SEO campaigns, migration from the Koobface- 
friendly AS31252, STARNET-AS StarNet Moldova , plus a 
direct connection established as once a customer is 



migrating, he's usually taking all of his dirty luggage with 
him, proves that, there's no such thing as coincidence within 
the cybercrime ecosystem, there's just a diverse 
infrastructure where everyone appears to be self-serving 
their needs as a service, consequently forwarding 
responsibility for 

someone else's actions to the infrastructure they are 
abusing. 

Related biackhat SEO/scareware monetization assessments: 

[15] Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign 

[16] Dissecting the Ongoing U.S Federal Forms 
Themed Biackhat SEO Campaign - Part Two 

[17] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 

[18] U.S Federal Forms Biackhat SEO Themed 
Scareware Campaign Expanding 

[19] Dissecting the Ongoing U.S Federal Forms 
Themed Biackhat SEO Campaign 

[20] The ultimate guide to scareware protection 

[21] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[22] Massive Scareware Serving Biackhat SEO, the 
Koobface Gang Style 

[23] A Peek inside the Managed Biackhat SEO 
Ecosystem 



[24] Dissecting a Swine Flu Black SEO Campaign 

[25] Massive Blackhat SEO Campaign Serving 
Sea re ware 

[26] From Ukrainian Blackhat SEO Gang With Love 

[27] From Ukrainian Blackhat SEO Gang With Love - 
Part Two 

[28] From Ukraine with Scareware Serving Tweets, 
Bogus Linkedln/Scribd Accounts, and Blackhat SEO 
Farms 

[2 9] From Ukraine with Bogus Twitter, Linked In and 
Scribd Accounts 

[30]Fake Web Hosting Provider - Front-end to 
Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from [31]Dancho 
Danchev's blog. Follow him [32Jon Twitter. 

1. http://ddanchev. blo as pot. com/2010/03/koobface- 
redirectors-and-scareware.html 

2. htto://ddanchev.blo as oot.com/2010/04/dissectin a- 
koobface-aanas-latest.html 

3. htto://ddanchev.blo as oot.com/2010/05/koobface-aan a- 
responds-to-10-thin as- vou.html 
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4. http://ddanchev. blo as pot. com/2010/05/from-koobface- 
aana-with-scareware. html 

















5. http://ddanchev.blo as pot.com/2010/08/spamvertised-best- 
buv-macvs-evite-and.html 

6 . 

http://www. virustptal. com/file-scan/report.html? 

id= 72 72f889520cdl dl 8 9 Seed 91 fl bOl 835cf53f06h452041ba 

ae0336 

796ff09fd7-1281703284 

7. http://ddanchev.blo as pot.com/2010/08/spamvertised-best- 
buv-macvs-evite-and.html 

8. http://pastebin. com/POUKr7aE 

9. 

http://3. bp. blo as pot, com/ wICHhTiOmrA/TGVGu7E p ill/AAAA 
AAAAEzo/oaThblEDFcU/sl600/Blackhat SEP Dutch Swiss sc 

a re ware 2. PNG 

10. http://www. virustptal.com/file-scan/report.html? 
id=63befe78a 7895a8efc6d893491 d8f77ef8adalcd52d56258 

7490a7 

9f29b65336-1281 711013 

11. http.V/ddanchev.blo as pot.com/2010/07/exploits-malware- 
a n d-sca re wa re-courtes v.html 

12. http.V/ddanchev.blo as pot.com/2010/07/exploits-malware- 
and-scareware-courtesv.html 

13. http.V/ddanchev.blo as pot.com/2010/02/diverse-portfolio- 
of-scarewareblackhat. html 














































14. htto.V/ddanchev.blo as oot.com/2010/05/dissectina-mass- 
dreamhost-sites.html 

15. http://ddanchev.blo as oot. com/2010/06/dissectin a- 
1 OOOOQ-scareware-servina.html 

16. http://ddanchev.blo as pot.com/2010/06/dissectin a- 
on aoina-us-federal-forms.html 

17. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
camoaian-hiiacks-us. him I 

18. htto://ddanchev.blo as oot.com/2009/08/us-federal-forms- 
blackhat-seo-themed.html 

19. htto.V/ddanchev.blo as oot. com/2009/08/dissectin a- 
on aoina-us-federal-forms.html 

20. http://www.zdnet.com/bloa/securitv/the-uItimate-auide- 
to-scareware-orotection/4297 

21. htto.V/ddanchev.blo as oot. com/2010/02/diverse-oortfolio- 
of-scarewareblackhat.html 

22. htto.V/ddanchev.blo as oot. com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

23. htto.V/ddanchev.blo as oot. com/2009/06/oeek-inside- 
manaaed-blackhat-seo.html 

24. http.V/ddanchev.blo as pot.com/2009/05/dissectina-swine- 
f1u-black-seo-camoaian.html 

25. htto.V/ddanchev.blo as oot.com/2009/04/massive-blackhat- 
seo-camoaian-servina.html 

26. htto.V/ddanchev.blo as oot. com/2009/06/from-ukrainian- 
blackhat-seo-aana-with.html 



























































27. htto.V/ddanchev.blo as oot.com/2009/06/from-ukrainian- 
blackhat-seo-aana-with 09.html 


28. htto.V/ddanchev.blo as oot.com/2009/06/from-ukraine- 
with-scareware-servina. him! 

29. htto://ddanchev.blo as oot.com/2009/07/from-ukraine- 
with-boaus-twitter.html 

30. http://ddanchev.blo as pot.com/2009/Q6/fake-web-hostin a- 
oro vider-front-end-to. html 

31. htto://ddanchev.blo as oot.com/ 

32. htto://twitter.com/danchodanchev 
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Historical OS I NT: Celebrities Death, Fedex Invoices, 
Office-Themed Malware Campaigns (2010-09-08 
21:07) 

[l]As promised, this would be a pretty short historical 
OS I NT post - catching up is in progress - detailing the 
structure of several campaigns that took place throughout 
July-August, 2010, and (as always) try to emphasize on the 
connection with historical malware campaigns profiled on my 
personal blog. 




















Campaigns of notice include: spamvertised " Celebrities 
death-themed emails", " Fedex shipment status themed 
invoices", and " Office-themed documents". 

Sample subjects: 

Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; 
Tom Cruise died; Application; Thursday Journal Club; End Of 
Rotation; Abstracts; Project Declaration; Residency Happy 
Hour: SOP POLICIES; Fwd: Updated Journal Club Handout 

Sample attachments: 

journal club articles.zip; Rotation Input Sheet.zip; ppi and c 
dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case 
presentation draft.zip; journal club template.zip 

Detection rates, phone back URLs, and connections with 
previously profiled campaigns: 

- [2jnews.exe - Trojan.Bredolab-993 - 40/43 (93.0 %) 

MD5: 44522def7cf2a42aa26f59c2ac4ced58 

SHA1 : 2f60531b6e33d842eba505f3c3cb81 a3ff6e3e6a 

- [3Jjournal club articles.exe - Backdoor/Bredolab.edb - 
41/43 (95.3 %) 

MD5: 72e90fdl264e731109dlb6b977b2c744 

SHA1: 0a36b882dlb4d8b42cc466ec286e95bbb2e77d49 

Upon execution, the samples phone back to: 

188.65.74.161 /mrmun _sgjlgdsjrthrtwg.exe - AS42473 

- DOWN 



194.28.112.3 /outlook.exe -AS48691 - ACTIVE 

- [4Joutlook.exe - TrojanSpy:Win32/Fitmu.A -17/43 (39.5 
%) 

MD5: 8f4eca49b87e36daael4b8549071dece 

SHA1: 1 d390e9f8d6e744ead58dd6c424581419f732498 

Upon execution, the dropped sample phones back to: 

cuscuss.com -188.65.74.164 - Email: info@blackry.com 

1514 

Responding to 188.65.74.164 at AS42473 are also: 
wiggete.com - Email: info@biackry.com 
depenam.com - Email: info@blackry.com 
fishum.com - Email: info@blackry.com 
blackry.com - Email: info@blackry.com 

Two of the domains are know to have been serving client- 
side exploits, but the redirection is currently return¬ 
ing an error " Connect to 188.40.232.254 on port 80 ... 
failed". 

- depenam ,com/count22.php 

- blackry .com/count21.php 

- vseohuenno .com/trans/b3/ -188.40.232.254 - Email: 
latertrans@gmail. com 


Responding to 188.40.232.254, AS24940 are also the 
following command and control, client-side exploit serv¬ 
ing domains: 

gurgamer.com - (New IP: 86.155.172.30) Email: 
latertrans@gmail. com 

moneybeerers.com - Email: latertrans@gmail.com 

daeshnew.com - (New IP: 86.145.158.90) Email: 
\atertrans@gmaU. com 

volosatyhren.com - Email: latertrans@gmail.com 
vyebyvglaz.com - Email: latertrans@gmail.com 


- [5]Fedexlnvoice _EE776129.exe - Win32/0ficla.LK - 41/ 
43 (95.3 %) 

MD5: d4e2875127f5cbdf797de7fl417f96a7 

SHA1: c2df8d8cl 78142ba7bee48dbf9a9f68c32al4f5e 

Upon execution, the sample phones back to: 

iloveiasvegas .ru/web/St/bb.php?v=200 
&id =636608811 &b=24augNEW &tm= - 109.196.134.44, 
A539150 - Email: vadim.rinatovich@yandex.ru with 
x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also 
parked there. 

Where do we know the vadim.rinatovich@yandex.ru email 
from? 


From two previously profiled campaigns 




"[6]Spamvertised iTunes Gift Certificates and CV 
Themed Malware Campaigns"; and " [7]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" having a direct relationship with the Asprox 
botnet. 

This post has been reproduced from [8] Dane ho 
Danchev's blog. Follow him [9Jon Twitter. 

1. http .-//twitter, com/danchodanchev/status/23254 748308 

2 . 

htto://www. virustotal. com/file-scan/report.html? 

id=2 61 fef064 71 fb9a90928e21e02 7cb058cc84a0c310995f3c 

a95ce0 
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6bea8f98cf-12839615 75 

3. 

http://www. virustotal. com/file-scan/report, html? 

id=f6c4e 74 726Slae9ea4a Pel 9cfd75c5ce864 77e4f48612e54 

3b219b 

c23d5c9d29-12839615 71 

4. 

http://www. virustotal. com/file-scan/report.html? 

id= 616bc445868638408Ibe9a9b654a8b99b4cbbbf395b465 

0d01d4bc 

fe798119b4-1283962155 


5 . 



















htto: //www. virustotal. com/file-scan/report.html? 

id=01 f7ee45f242de43f733cl5e0238ca09bl cf8fe9ec8c7ca 7f 


4b95c 

a 7959c2934-1283961566 

6. http.V/ddanchev.blo as pot.com/2010/05/spamvertised- 
itunes-aift-certificates. html 

7. http://ddanchev.blo as pot.com/2010/07/dissectina-xerox- 
workcentre-ero-scanned.html 

8. http://ddanchev.blo as pot.com/ 

9. http://twitter.com/danchodanchev 
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Summarizing 3 Years of Research into Cyber Jihad 
(2010-09-11 16:24) 

From the "been there, actively researched that" department. 

1. [lJTracking Down Internet Terrorist Propaganda 

2. [2] Arabic Extremist Group Forum Messages' 
Characteristics 

3. [3]Cyber Terrorism Communications and 
Propaganda 

4. [4] A Cost-Benefit Analysis of Cyber Terrorism 

5. [5]Current State of Internet Jihad 

6. [6]Anaiysis of the Technical Mujahid - Issue One 




















7 . [7]Full List of Hezbollah's Internet Sites 

8. [8]Steganography and Cyber Terrorism 
Comm unica tions 

9. [9]Hezbollah's DNS Service Providers from 1998 to 
2006 

10. [lOJMujahideen Secrets Encryption Tool 

11. [11JAnalyses of Cyber Jihadist Forums and Blogs 

12. [12[Cyber Traps for Wannabe Jihadists 

13. [13]lnshallahshaheed - Come Out, Come Out 
Wherever You Are 

14. [14JCIMF Switching Blogs 

15. [15JCIMF Now Permanently Shut Down 

16. [16JCIMF - "We Will Remain" 

17. [17[Wisdom of the Anti Cyber Jihadist Crowd 

18. [18]Cyber Jihadist Blogs Switching Locations Again 

19. [19]Electronic Jihad v3.0 - What Cyber Jihad isn't 

20. [20]Electronic Jihad's Targets List 

21. [21 [Teaching Cyber Jihadists How to Hack 

22. [22[A Botnet of Infected Terrorists? 

23. [23]lnfecting Terrorist Suspects with Malware 

24. [24[The Dark Web and Cyber Jihad 
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25. [25]Cyber Jihadist Hacking Teams 

26. [26]Two Cyber Jihadist Blogs Now Offline 

27. [27]Characteristics of Islamist Websites 

28. [28]Cyber Traps for Wannabe Jihadists 

29. [29]Mujahideen Secrets Encryption Tool 

30. [30] An Analysis of the Technical Mujahid - Issue 
Two 

31. [31 JTerrorist Croups' Brand Identities 

32. [32]A List of Terrorists' Blogs 

33. [33]Jihadists' Anonymous Internet Surfing 
Preferences 

34. [34]Sampling Jihadists' IPs 

35. [35]Cyber Jihadists' and TOR 

36. [36]A Cyber Jihadist DoS Tool 

37. [37JCIMF Now Permanently Shut Down 

38. [38]Mujahideen Secrets 2 Encryption Tool Released 

39. [39]Terror on the Internet - Conflict of Interest 

This post has been reproduced from [40]Dancho 
Danchev's blog. Follow him [41]on Twitter. 

1. http.V/ddanchev.blo as oot.com/2006/06/trackina-down- 
internet-terrorist. html 






2. htto.V/ddanchev.blo as oot.com/2006/05/arabic-extremist- 
arouD-forum-messaaes.html 

3. http://ddanchev. blo as oot. com/2006/08/cvber-terrorism - 
communications-and_22. html 

4. htto://ddanchev.blo as oot.com/2006/10/cost-benefit- 
analvsis-of-cvber.html 

5. http://ddanchev.blo as pot.com/2006/12/current-state-of- 
internet-iihad. html 

6. htto://ddanchev.blo as oot.com/2006/12/analvsis-of- 
technica l-muia h id-issue-one.html 

7. htto.V/ddanchev.blo as oot.com/2006/12/full-list-of- 
hezbollahs-internet-sites.html 

8. htto://ddanchev.blo as oot.com/2006/08/steaano araohv- 
and-cvber-terrorism.html 

9. htto://ddanchev. blo as oot. com/2006/09/hezboHahs-dns- 
service-oro viders-from.html 

10. htto.V/ddanchev.blo as oot.com/2007/04/muiahideen- 
secrets-encr v ption-tool. html 

11. htto.V/ddanchev.blo as oot.com/2007/08/analvses-of-cvber- 
iihadist-forums-and.html 

12. http.V/ddanchev.blo as pot.com/2007/03/cvber-traps-for- 
wannabe-iihadists.html 

13. htto.V/ddanchev.blo as oot.com/2007/12/inshallahshaheed- 
come-out-come-out.html 

14. httD://ddanchev.blo as Dot.com/2007/07/aimf-switchin a- 
bloas.html 





























































15. htto.V/ddanchev.blo as oot.com/2007/08/a imf-now- 
Dermanentlv-shut-down.html 

16. htto://ddanchev.blo as oot. com/2007/08/aimf-we-will - 
remain.html 

17. htto://ddanchev.blo as oot. com/2007/10/wisdom-of-anti- 
c vber-iihadist-cro wd.html 

18. http://ddanchev.blo as pot.com/2007/11/cvber-iihadist- 
bloas-switchina.html 

19. htto://ddanchev.blo as oot.com/2007/11/electronic-iihad- 
v30-what-cvber-iihad. him! 

20. htto://ddanchev.blo as oot.com/2007/11/electronic-iihads- 
taraets-iist.html 

21. htto.V/ddanchev.blo as oot. com/2007/11/teachin a-c vber- 
iihadists-how-to-hack.html 

22. htto.V/ddanchev.blo as oot.com/2007/11/botnet-of- 
infected-terrorlsis.html 

23. htto.V/ddanchev. blo as oot. com/2007/09/i nfectina-terrorist- 
suspects-with.html 
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24. htto.V/ddanchev.blo as oot.com/2007/09/dark-web-and- 
c vber-iihad. him I 

25. http.V/ddanchev.blo as pot.com/2007/12/cvber-iihadist- 
hackina-teams. html 

26. htto.V/ddanchev.blo as oot.com/2007/09/two-cvber- 
iihadist-bloas-now-offline.html 


























































27. htto.V/ddanchev.blo as oot.com/2007/02/characteristics-of- 
is la mist- websites.html 

28. htto://ddanchev.blo as oot. com/2007/03/cvber-traos-for- 
wannabe-iihadists.html 

29. http.V/ddanchev.blo as pot.com/2007/04/muiahideen- 
secrets-encr v ption-tool. html 

30. http://ddanchev.blo as pot.com/2007/Q6/analvsis-of- 
technical-muiahid-issue-two.html 

31. htto.V/ddanchev.blo as oot.com/2007/07/terrorist-arouos- 
bran d-iden titles . h tm I 

32. htto.V/ddanchev.blo as oot.com/2007/06/list-of-terrorists- 
bloas.html 

33. htto.V/ddanchev.blo as oot.com/2007/05/iihadists- 
anonvmous-lnternet-surfina.html 

34. htto.V/ddanchev.blo as oot. com/2007/05/samolin a- 
iihadists-ios.html 

35. htto.V/ddanchev.blo as oot. com/2007/07/cvber-nhadists- 
and-tor.html 

36. http.V/ddanchev.blo as pot.com/2007/08/cvber-iihadist- 
dos-tool.html 

37. http.V/ddanchev.blo as pot.com/2007/08/aimf-now- 
oermanentlv-shut-down. html 

38. htto.V/ddanchev.blo as oot.com/2008/01/muiahideen- 
secrets-2-encr v otion-tool.html 

39. htto.V/ddanchev.blo as oot. com/2008/03/terror-on-internet- 
conflict-of-interest. html 






























































40. htto.V/ddanchev.blo as oot.com/ 

41. http://twitter.com/danchodanchev 
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Comment Soam Attack (2009-02-11 18:55 ) 

■ Community-driven Revenue Sharing Scheme for 
CAPTCHA Breakin g (2009-02-17 14:33 ) 

■ Pharmaceutical Spammers Targeting Linkedln 
(2009-02-18 18:22 ) 

■ Fake Celebrity Video Sites Serving Malware - 
Part Three (2009-02-24 00:47 ) 

■ The Cost of Anonymizing a Cvbercriminal's 
Internet Activities - Part Two (2009-02-24 16:10 ) 

■ Fielo! Someone Flilacked mv lOOk-h Zeus 
Botnet! (2009-02-26 21:42 ) 

■ Inside a DIY Image Soam Generating Traffic 
Management Kit (2009-02-26 22:48 ) 

March 

■ Summarizing Zero Day's Posts for Februar y 
(2009-03-04 12:28 ) 

■ Russian Flomosexual Sites Under 

(Commissioned) DDoS Attack (2009-03-04 
13:00 ) 

■ Inside (Yet Another) Managed Soam Service 
(2009-03-09 22:18 ) 

■ Azerbaijanian Embassies in Pakistan and 
Hun gar y Serving Malware (2009-03-11 15:45 ) 

■ Who's Behind the Estonian DDoS Attacks from 

2007? (2009-03-12 17:39 ) 

■ Ethiopian Embassy in Washington D.C Servin g 
Malware (2009-03-18 23:10 ) " 

■ Crime ware in the Middle - Limbo (2009-03-19 
18:59 ) 


























































































■ Embassy of Portugal in India Serving Malware 
(2009-03-25 23:08 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Sixteen (2009-03-26 13:08 ) 

■ Summarizing Zero Day's Posts for March (2009- 
03-31 17:54 ) 

■ Diverse Portfolio of Fake Security Software - Part 
Seventeen (2009-03-31 17:58 ) 

April 

■ Bogus Linkedln Profiles Redirect to Malware and 
Rogue Security Software (2009-04-01 17:38 ) 

■ Inside a Zeus Crimeware Developer's To-Do List 
(2009-04-08 20:39 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Eighteen (2009-04-08 21:26 ) 

■ Conficker's Sea re ware/Fake Security Software 
Business Model (2009-04-14 19:55 ) 

■ Twitter Worm Mike v v Keywords Hijacked to 
Serve Sea re ware (2009-04-15 22:26 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Nineteen (2009-04-16 17:24 ) 

■ A CCDCOE Report on the Cvber Attacks Against 
Geor gia (2009-04-16 19:20 ) 

■ Massive Blackhat SEP Campaign Servin g 
Sea re ware (2009-04-22 19:57 ) 

■ S namvertised Swine Flu Domains (2009-04-28 
22:27 ) 

■ Massive SOL Injections Through Search Engine's 
Reconnaissance - Part Two (2009-04-29 14:32 ) 

■ 419 Scam Artists Using NYTimes.com 'Email 
this' Feature (2009-04-30 23:03 ) 

Mav 

■ Summarizing Zero Day's Posts for April (2009- 
05-01 10:05 ) 

■ Dissecting a Swine Flu Black SEP Campai gn 
(2009-05-06 16:05 ) 















































































■ S oamvertised Swine Flu Domains - Part Two 

(2009-05-06 16:20 ) 

■ Patin a S oam Campaign Promotes Bogus Datin g 
Agency (2009-05-06 19:45 ) 

■ SMS Ransomware Source Code Now Offered for 

Sale (2009-05-12 13:46 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twent y (2009-05-14 20:30 ) 

■ GazTranzitStrovinfo - a Fake Russian Gas 
Company Facilitatin g C ybercrime (2009-05-19 
23:37 ) 

■ GazTranzitStrovinfo - a Fake Russian Gas 
Company Facilitatin g C ybercrime (2009-05-19 
23:37 ) 

■ Inside a Money Laundering Group's Spammin g 
O perations (2009-05-26 18:41 ) 

■ Inside a Money Laundering Group's Spammin g 
O perations (2009-05-26 18:41 ) 

■ 3rd SMS Ransomware Variant Offered for Sale 

(2009-05-27 19:50 ) 

° lune 

■ Datin g S oam Campaign Promotes Bogus Datin g 
A gency - Part Two (2009-06-02 15:21 ) 

■ Summarizing Zero Day's Posts for Ma y (2009- 
06-02 15:49 ) 

■ From Ukrainian Blackhat SEP Gang With Loye 
(2009-06-04 16:45 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twenty One (2009-06-05 16:37 ) 

■ Fake Web Hosting Provider - Front-end to 
Scare ware Blackha t SEP Campaign at Blo osoot 
(2009-06-08 09:37 ) 

■ GazTransitStroy/GazTranZitStrov Rubbin g 
Shoulders with Petersburg Internet Network LLC 
(2009-06-08 14:28 ) 


















































































■ From Ukrainian Blackhat SEP Gang With Love - 
Part Two (2009-06-09 23:03 ) 

■ Iranian O p position DDoS-es oro-Ahmadineiad 
Sites (2009-06-16 12:53 ) 

■ From Ukraine with Sea re ware Serving Tweets . 
Bogus Linkedln/Scribd Accounts , and Blackhat 
SEP Farms (2009-06-1 7 18:36 ) 

■ A Peek Inside the Managed Blackhat SEP 
Ecosystem (2009-06-24 14:21 ) 

■ Ethiopian Embassy in Washington D.C Servin g 
Malware - Part Two (2009-06-25 14:01 ) 

July. 

■ Summarizing Zero Day's Posts for tune (2009- 
07-01 22:26 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twenty Two (2009-07-03 18:34 ) 

■ The Multitasking Fast-Flux Botnet that Wants to 
Bank With You (2009-07-07 07:28 ) 

■ Legitimate Software T v oosouatted in SMS Micro- 
Pa vment Scam (2009-07-07 14:07 ) 

■ Transmitter.C Mobile Malware in the Wild (2009- 
07-08 20:02 ) 

■ Dissecting Koobface Worm's Twitter Campai gn 
(2009-07-15 16:49 ) 

■ 4th SMS Ransomware Variant Pffered for Sale 

(2009-07-16 18:48 ) 

■ From Ukraine with Bogus Twitter . Linkedln and 
Scribe! Accounts (2009-07-16 22:57 ) 

■ Koobface - Come Put . Come Put . Wherever You 
Are (2009-07-22 11:09 ) 

■ Koobface - Come Put . Come Put . Wherever You 
Are (2009-07-22 11:09 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twenty Three (2009-07-27 17:59 ) 

■ 5th SMS Ransomware Variant Pffered for Sale 

(2009-07-29 13:17 ) 















































































■ Social Engineering Driven Web Malware 
Exploitation Kit (2009-07-30 16:36 ) 

■ Social Engineering Driven Web Malware 
Exploitation Kit (2009-07-30 16:36 ) 

August 

■ Summarizing Zero Day's Posts for lulv (2009-08- 
03 17:02 ) 

■ Managed Polymorphic Script Obfuscation 
Services (2009-08-04 19:32 ) 

■ Movement on the Koobface Front (2009-08-04 
21 : 10 ) 

■ Movement on the Koobface Front (2009-08-04 
21 : 10 ) 

■ Scareware Template Localized to Arabic (2009- 
08-05 22:07 ) 

■ Blackhat SEP Campaign H i jacks U.S Federal 
Form Keywords , Serves Scareware (2009-08-06 
21:29 ) 

■ U.S Federal Forms Blackhat SEP Themed 
Scareware Campaign Expandin g (2009-08-10 
18:53 ) 

■ Dissecting the Pngoing U.S Federal Forms 
Themed Blackhat SEP Campai gn (2009-08-18 
17:35 ) 

■ Dissecting the Pngoing U.S Federal Forms 
Themed Blackhat SEP Campai gn (2009-08-18 
17:35 ) 

■ Movement on the Koobface Front - Part Two 

(2009-08-19 11:27 ) 

■ Movement on the Koobface Front - Part Two 

(2009-08-19 11:27 ) 

■ 6th SMS Ransom ware Variant Pffered for Sale 

(2009-08-24 18:14 ) 

September 

■ Summarizing Zero Day's Posts for August (2009- 
09-01 15:46 ) 











































































■ 

SMS Ransomware Disolavs Persistent Inline Ads 

■ 

(2009-09-03 15:14) 

SMS Ransomware Disolavs Persistent Inline Ads 

■ 

(2009-09-03 15:14) 

News Items Themed Blackhat SEO Camoaian 

■ 

Still Active (2009-09-07 22:42) 

Ukrainian "Fan Club" Features Malvertisement at 

■ 

NYTimes.com (2009-09-14 20:04) 

Koobface Botnet's Sea reware Business Model 

■ 

(2009-09-16 20:45) 

Koobface Botnet's Sea re ware Business Model 

■ 

(2009-09-16 20:45) 

The Ultimate Guide to Sea re ware Protection 

■ 

(2009-09-18 19:03) 

Dissectina Seotember's Twitter Sea reware 

■ 

Camoaian (2009-09-25 12:03) 

Dissectina Seotember's Twitter Sea reware 

Camoaian (2009-09-25 12:03) 

October 

m 

m 

Summarizina Zero Dav's Posts for Seotember 
(2009-10-01 15:38) 

Standardizina the Monev Mule Recruitment 

■ 

Process (2009-10-06 09:23) 

Standardizina the Monev Mule Recruitment 

■ 

Process (2009-10-06 09:23) 

Koobface Botnet Dissected in a Trend Micro 

■ 

Reoort (2009-10-14 18:22) 

Koobface Botnet Dissected in a Trend Micro 

■ 

Reoort (2009-10-14 18:22) 

Sea re ware Servina Conficker.B Infection Alerts 

■ 

Soam Camoaian (2009-10-20 18:51) 

Koobface Botnet Redirects Facebook's IP Soace 

■ 

to mv Bloa (2009-10-21 22:28) 

Koobface Botnet Redirects Facebook's IP Soace 


to mv Blo a (2009-10-21 22:28 ) 



































































■ On going FDIC Spam Campaign Serves Zeus 
Crimeware (2009-10-27 23:46 ) 

November 

■ Summarizing Zero Day's Posts for October 
(2009-11-02 23:29 ) 

■ Pricing Scheme for a DDoS Extortion Attack 
(2009-11-03 10:58 ) 

• Koobface Botnet's Scareware Business Model - 

Part Two (2009-11-11 19:03 ) 

■ Koobface Botnet's Scareware Business Model - 

Part Two (2009-11-11 19:03 ) 

■ Keening Money Mule Recruiters on a Short 
Leash (2009-11-16 23:09 ) 

■ One Year Worth of Zeus Crimeware 
Development Through the Eves of the 
C vbercriminal (2009-11-16 23:31 ) 

■ Massive Scareware Serving Blackhat SEP , the 
Koobface Gan g Style (2009-11-17 22:36 ) 

■ Massive Scareware Serving Blackhat SEP , the 
Koobface Gan g Style (2009-11-17 22:36 ) 

■ "Your mailbox has been deactivated" Soam 
Campaign Serving Crimeware (2009-11-17 
23:11 ) ' 

■ Scareware Campaign Using Google Sponsored 
Links (2009-11-19 00:30 ) ‘ 

■ Koobface Botnet Starts Serving Client-Side 
Ex ploits (2009-11-25 20:09 ) 

■ Koobface Botnet Starts Serving Client-Side 
Ex ploits (2009-11-25 20:09 ) 

■ Summarizing Zero Day's Posts for November 
(2009-11-30 20:00 ) 

December 

■ Pushdo Injecting Bogus Swine Flu Vaccine 
(2009-12-02 09:32 ) 

■ Celebritv-Themed Scareware Campaign Abusin g 
DocStoc and Scribd (2009-12-03 22:18 ) 















































































■ Keeping Reshi o oina Mule Recruiters on a Short 
Leash (2009-12-07 20:26 ) 

■ Celebritv-Themed Sea re ware Campaign Abusin g 
DocStoc (2009-12-07 22:17 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twenty Four (2009-12-21 22:58 ) 

■ Koobface-Friendlv Riccom LTD - AS29550 - 
(Finall y ) Taken Offline (2009-12-22 10:49 ) 

■ Koobface-Friendlv Riccom LTD - AS29550 - 
(Finall y ) Taken Offline (2009-12-22 10:49 ) 

■ The Koobface Gang Wishes the Industry "Ha ppy 
Holidays" (2009-12-26 23:25 ) 

■ The Koobface Gang Wishes the Industry "Ha oov 
Holidays" (2009-12-26 23:25 ) 

2010 
° January 

■ Summarizing Zero Day's Posts for December 
(2010-01-04 22:03 ) 

■ To o Ten Must-Read Posts at ZDNet's Zero Da v 
for 2009 (2010-01-04 22:10 ) 

■ To o Ten Must-Read DDanchev Posts For 2009 

(2010-01-04 22:37 ) 

■ Scareware . Blackhat SEP . S oam and Goo gle 
Groups Abuse . Courtesy of the Koobface Gan g 
(2010-01-08 17:29 ) 

■ Outlook Web Access Themed Soam Campai gn 
Serves Zeus Crimeware (2010-01-08 23:53 ) 

■ Push do Serving Crimeware . Client-Side Exploits 
and Russian Bride Scams (2010-01-13 21:10 ) 

■ Follow Me on Twitter! (2010-01-18 19:05 ) 

■ Facebook/AOL Update Tool Soam Campai gn 
Serving Crimeware and Client-Side Exploits 
(2010-01-26 09:34 ) 

■ Inside a Commercial Chinese DIY DDoS Platform 

(2010-01-26 14:28 ) 














































































■ Inside a Commercial Chinese DIY DDoS Platform 

(2010-01-26 14:28 ) 

Februar y 

■ Summarizing Zero Day's Posts for lanuar v 
(2010-02-01 22:34 ) 

■ How the Koobface Gang Monetizes Mac OS X 
Traffic (2010-02-02 18:07 ) 

■ How the Koobface Gang Monetizes Mac OS X 
Traffic (2010-02-02 18:07 ) 

■ PhotoArchive Crimeware/Client-Side Exploits 
Servin g Campaign in the Wild (2010-02-03 
22:42 ) 

■ A Diverse Portfolio of Scareware/Blackhat SEP 

Redirectors Courtesy of the Koobface Gan g 
(2010-02-04 00:50 ) 

■ A Diverse Portfolio of Scareware/Blackhat SEP 

Redirectors Courtesy of the Koobface Gan g 
(2010-02-04 00:50 ) 

■ A Diverse Portfolio of Scareware/Blackhat SEP 

Redirectors Courtesy of the Koobface Gan g 
(2010-02-04 00:50 ) 

• Keening Money Mule Recruiters on a Short 
Leash - Part Two (2010-02-09 20:17 ) 

■ Tax Report Themed Zeus/Client-Side Exploits 
Servin g Campaign in the Wild (2010-02-11 
22:19 ) 

■ Anonymous' Group's DDoS Operation Titstorm 
(2010-02-12 01:40 ) 

■ 'Anonymous' Group's DDoS Operation Titstorm 
(2010-02-12 01:40 ) 

■ Dissecting an Ongoing Money Mule Recruitment 
Cam paign (2010-02-12 23:46 ) 

■ Dissecting an Ongoing Money Mule Recruitment 
Cam paign (2010-02-12 23:46 ) 

■ IRS/PhotoArchive Themed Zeus/Client-Side 
Exploits Servin g Campaign in the Wild (2010-02- 














































































15 23:34 ) 

■ IRS/PhotoArchive Themed Zeus/Client-Side 
Exploits Servin g Campaign in the Wild (2010-02 - 
15 23:34 ) 

■ Don't Plav Poker on an infected Table - Part Two 
(2010-02-25 13:17 ) 

■ Fotoloa's FTLoa Malware Campaign Serves 
Bogus Video Codecs (2010-02-26 00:02 ) 

March 

■ Summarizing Zero Day’s Posts for Februar y 
(2010-03-02 21:20 ) 

■ Don't Plav Poker on an infected Table - Part 
Three (2010-03-09 22:43 ) 

■ AS50215 Trovak-as Taken Offline , Zeus C&Cs 
Drop from 249 to 181 (2010-03-10 21:01 ) 

• Money Mule Recruiters on Yahoo! 's Web Hostin g 
(2010-03-11 20:41 ) 

■ Sea re ware , Sinowal , Client-Side Exploits Servin g 
S pam Campaign in the Wild (2010-03-13 00:17 ) 

■ Koobface Redirectors and Sea re ware Campai gns 
Now Hosted in Moldova (2010-03-15 13:51 ) ' 

■ The Current State of the Crimeware Threat 

(2010-03-20 17:05 ) 

■ Keeping Money Mule Recruiters on a Short 
Leash - Part Three (2010-03-20 23:14 ) 

■ GazTransitStro v/GazTranZitStro v: From 

Sea re ware to Zeus Crimeware and Client-Side 

Ex ploits (2010-03-24 00:22 ) 

■ Zeus Crimeware/Client-Side Exploits Servin g 
Campaign in the Wild (2010-03-24 20:29 ) 

■ Copyri ght Lawsuit Filed Against You Themed 
Malware Campai gn (2010-03-29 17:42 ) 

■ Money Mule Recruitment Campaign Servin g 
Client-Side Exploits (2010-03-30 18:51 ) 

■ Money Mule Recruitment Campaign Servin g 
Client-Side Exploits (2010-03-30 18:51 ) 

















































































April 

■ Summarizing Zero Day's Posts for March (2010- 
04-01 10:58 ) 

■ Keeping Money Mule Recruiters on a Short 
Leash - Part Four (2010-04-09 10:54 ) 

■ Dissecting Northwestern Bank's Client-Side 
Exploits Servin g Site Compromise (2010-04-12 
12:03 ) 

■ Copyri ght Violation Alert Themed Ransomware 
in the Wild (2010-04-12 19:51 ) 

■ Copyri ght Violation Alert Themed Ransomware 
in the Wild (2010-04-12 19:51 ) 

• iPhone Unlocking Themed Malware Campai gn 
S oamvertised (2010-04-14 20:20 ) 

■ Face book FarmTown Malvertising Campai gn 
Courtesy of the Koobface Gan g (2010-04-16 
19:03 ) 

■ Dissecting the WordPress Blogs Compromise at 
Network Solutions (2010-04-18 23:31 ) 

■ Dissecting the WordPress Blogs Compromise at 
Network Solutions (2010-04-18 23:31 ) 

■ The DNS Infrastructure of the Money Mule 
Recruitment Ecosystem (2010-04-20 18:46 ) 

■ Dissecting Koobface Gang's Latest Facebook 
S preading Campai gn (2010-04-27 14:53 ) 

■ Dissecting Koobface Gang's Latest Facebook 
S preading Campai gn (2010-04-27 14:53 ) 

■ GoDaddv's Mass WordPress Blogs Compromise 
Serving Sea reware (2010-04-27 21:22 ) 

■ GoDaddv's Mass WordPress Blogs Compromise 
Serving Sea reware (2010-04-27 21:22 ) 

■ Summarizing Zero Day's Posts for April (2010- 
04-29 14:09 ) 

May 

■ U.S. Treasury Site Compromise Linked to the 
NetworkSoiutions Mass WordPress Bio gs 

























































































Compromise (2010-05-04 22:56 ) 

■ U.S. Treasury Site Compromise Linked to the 
NetworkSoiutions Mass WordPress Bio as 

Compromise (2010-05-04 22:56 ) 

■ From the Koobface Gang with Sea re ware 
Servin g Compromised Sites (2010-05-08 20:46 ) 

■ From the Koobface Gang with Sea re ware 
Servin g Compromised Sites (2010-05-08 20:46 ) 

■ TorrentReactor.net Serving Crime ware . Client- 
Side Exploits Through a Malicious Ad (2010-05- 
11 08:34 ) 

■ TorrentReactor.net Serving Crime ware . Client- 
Side Exploits Through a Malicious Ad (2010-05- 
11 08:34 ) 

■ Dissecting the Mass Dream Host Sites 
Compromise (2010-05-11 22:19 ) 

■ Dissecting the Mass Dream Host Sites 
Compromise (2010-05-11 22:19 ) 

■ S oamvertised i lunes Gift Certificates and CV 

Themed Malware Campaigns (2010-05-13 
20:16 ) 

■ The Avalanche Botnet and the TROYAK-AS 

Connection (2010-05-13 22:14 ) 

■ The Avalanche Botnet and the TROYAK-AS 

Connection (2010-05-13 22:14 ) 

■ Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 
(2010-05-17 21:23 ) 

■ Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post " 
(2010-05-17 21:23 ) 

■ inside a Commercial Chinese DiY DDoS Tool 

(2010-05-26 13:55 ) 

■ S oamvertised Client-Side Exploits Serving Adult 
Content Themed Campai gn (2010-05-28 15:29 ) 
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■ Summarizing Zero Day's Posts for Ma v (2010- 
05-31 18:40 ) 

June 

■ Vendor of Mobile S aving Ad ds Drives Biz Model 
Through DIY Generators (2010-06-03 15:09 ) 

■ Dissecting the Ongoing U.S Federal Forms 
Themed Blackhat SEP Campaign - Part Two 
(2010-06-03 18:56 ) 

■ Dissecting the 100 . 000+ Scareware Servin g 
Fake YouTube Pages Campai gn (2010-06-08 
21:49 ) 

■ Facebook Photo Album Themed Malware 
Campai gn. Mass SOL Injection Attacks Courtes y 
of AS42560 (2010-06-15 16:05 ) 

■ Dissecting the Exoloits/Scareware Servin g 
Twitter Soam Campai gn (2010-06-16 14:32 ) 

■ Sampling 419 Advance Fee Scams Activit y 
(2010-06-17 16:25 ) 

■ Money Mule Recruiters Trick Mules Into Installin g 
Fake Transaction Certificates (2010-06-29 
11:07 ) 

o Ju]y m 

■ Summarizing Zero Day's Posts for tune (2010- 
07-05 21:35 ) 

■ C vbercriminals SOL Inject Cvbercrime-friendl v 
Proxies Service (2010-07-13 23:00 ) 

■ Exploits . Malware , and Scareware Courtesy of 
AS6851 . BKCNET . Saoade Ltd. (2010-07-14 
19:54 ) 

■ Sampling Malicious Activity inside Cvbercrime- 
Friendlv Search Engines (2010-07-15 17:44 ) 

■ S oamvertised Amazon "Verify Your Email" . "Your 
Amazon Order" Malicious Emails (2010-07-16 
21:17 ) 

■ Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campai gn (2010-07-19 





















































































20:26 ) 

■ ZeuS Crimeware Serving 123Greetinas Ecard 
Themed Campaign in the Wild (2010-07-20 
23:40 ) 

August 

■ Summarizing Zero Day's Posts for lulv (2010-08- 
02 14:54 ) 

■ S oamvertised Best Bu v. Mac v's. Evite and 
Target Themed Scareware/Exoioits Servin g 
Campaign (2010-08-09 14:19 ) 

■ Dissecting a Scareware-Serving Black Hat SEP 
Campaign Using Compromised .NU.CH Sites 
(2010-08-13 17:09 ) 

September 

■ Historical OS I NT: Celebrities Death . Fed ex 
Invoices . Office-Themed Malware Campai gns 
(2010-09-08 21:07 ) 

■ Summarizing 3 Years of Research Into Cvber 
lihad (2010-09-11 16:24 ) 









































